[Zope] dynamically created tablename in ZSQL

Roger Erens rerens@dela.org
Fri, 5 Jul 2002 13:55:57 +0200


Hello all,

I would like to choose via a formfield (called 'tablename') which table
('employers' or 'employees')  is going to be queried.

I use in my ZSQL Method the following:
select * from <dtml-var tablename>
because
select * from <dtml-sqlvar tablename type=string>
results in e.g.
select * from 'employees'
which results in an sql error because of the quotes.

Any advice with respect to the safety of using the dtml-var, i.e. could the
formfield 'tablename' be fiddled with to contain something like 'employees;
delete from employees'?

Is there an alternative solution to get rid of the quotes in the
dtml-sqlvar?


best regards,
Roger Erens