[Zope] Please help with DTML-in (newbie)

Jaroslav Lukesh lukesh at seznam.cz
Wed Dec 28 17:03:21 EST 2005


> I am trying to use a python script to call a Z SQL method.  The python

You need to have defined "words" as parameter for ZSQL Metod. You have tried
to call property wordlist which is not exit.

Here are your ZSQL with safety (not functional) concern:

<params>
words:string
</params>

SELECT * FROM table
WHERE

<dtml-in words prefix="wrd">

(
	column1 LIKE '%<dtml-var wrd_item sql_quote>%' 
	OR
	column2 LIKE '%<dtml-var wrd_item sql_quote>%'
) 
<dtml-unless sequence-end> AND </dtml-unless> 

</dtml-in>


And here are some functional tips for you:

<dtml-sqltest>
<dtml-sqlgroup>


> -----z sql script:
> SELECT * FROM table
> WHERE
> <dtml-in words>
> column1 LIKE ('<dtml-var "'%'+sequence-item+'%'">' OR
> column2 LIKE '<dtml-var "'%'+sequence-item+'%'">') <dtml-unless sequence-
> end> AND </dtml-unless>
> </dtml-in>

Nice example for easy SQL injection!





More information about the Zope mailing list