[Zope] Re: [Zope-dev] How to use dtml-sqltest tag in zsql
method?
Jim Penny
jpenny@universal-fasteners.com
Tue, 29 Jul 2003 14:38:36 -0400
On Tue, 29 Jul 2003 18:32:46 +0100
Chris Withers <chrisw@nipltd.com> wrote:
> Hi Anitha,
>
> This is probably best aimeed at the zope@zope.org list...
>
> Anitha George wrote:
>
> > I am passing a string in this format (215,216) from the python
> > script to the Zsql method.
>
> What does your python script look like at the point where you call the
> ZSQL method?
>
> > The SQl query should have the following form:
> > select * from employees where id in (215,216)
> > but is as follows:
> > select * from employees where id in '(215,216)' which does not
> > give
> > the required result.The id is of data type string/nb.
>
> What is a string/nb?
String, non-blank.
> Just try replacing the <dtml-sqlvar> with a normal <dtml-var> for the
> variable containing you (215,216) string...
Well, use
select * from employees where id in <dtml-var ... sql_quote>.
... represents variable name.
To prevent sql injection problems, always either use the dtml-sqlvar
form, or be sure that you sql_quote each dtml-var form.
Jim Penny
>
> cheers,
>
> Chris
>
>
> _______________________________________________
> Zope maillist - Zope@zope.org
> http://mail.zope.org/mailman/listinfo/zope
> ** No cross posts or HTML encoding! **
> (Related lists -
> http://mail.zope.org/mailman/listinfo/zope-announce
> http://mail.zope.org/mailman/listinfo/zope-dev )
>
>