[Zope] question about forms and zsql
Thomas B. Passin
tpassin@mitretek.org
Wed, 13 Feb 2002 16:01:46 -0500
[Dieter Maurer]> Thomas B. Passin writes:
> > ....
> > select * from table where name like '%&dtml-searchphrase;%'
> Please do not forget "sql_quote" inside SQL strings.
> Otherwise, some malicious user may play havoc with your database
> (by closing the string, adding a very bad SQL command in which the
> string is reopened).
>
> > ...
> > Finally, if the searchphrase value might have quotes in it, make sure
to
> > use the sql quoting option (check the docs for the exact syntax).
> Do it, even when you think, there should be no quotes...
>
Amen...
Tom P