[Zope] question about forms and zsql

[Dieter Maurer]

Thomas B. Passin writes:
 > ....
 > select * from table where name like '%&dtml-searchphrase;%'
Please do not forget "sql_quote" inside SQL strings.
Otherwise, some malicious user may play havoc with your database
(by closing the string, adding a very bad SQL command in which the
string is reopened).

 > ...
 > Finally, if  the searchphrase value might have quotes in it, make sure to
 > use the sql quoting option (check the docs for the exact syntax).
Do it, even when you think, there should be no quotes...


Dieter