, February 08, 2001 3:54 PM
To: '[EMAIL PROTECTED]'
Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL
query that could allow mischievous people to tamper with your Db and
possibly hack your box
(depending upon what DB you
: Friday, February 09, 2001 7:01 AM
To: 'Jon Franz'; '[EMAIL PROTECTED]'
Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
Got it. Making the change now. Thanks for keeping an eye on
this thread.
What about the sqltest suggestion on posted on this thread?
Or do sqltest
and sqlvar
: [Zope-dev] ZSQL using LIKE operator
sqltest just creates the full string of the where clause segment
for the test using the same kind of 'safe' sql-string logic as
sqlvar: so you should be able to replace the value to test against
with any valid python expression, such as the one below where
just write it out like:
SELECT * FROM table WHERE keywords LIKE '%dtml-var name="my_var"%'
jens
on 2/8/01 7:17, Schmidt, Allen J. at [EMAIL PROTECTED] wrote:
I have been through the docs, searched a variety of locations, and cannot
find anything on how to resolve a query which I need to
c: Schmidt, Allen J.; [EMAIL PROTECTED]
Subject: Re: [Zope-dev] ZSQL using LIKE operator
Jens Vagelpohl wrote:
just write it out like:
SELECT * FROM table WHERE keywords LIKE '%dtml-var name="my_var"%'
jens
on 2/8/01 7:17, Schmidt, Allen J. at [EMAIL PROTECTED] wrote:
nd of your string.
Sorry about the correction, but this Can be a big security hazard...
~Jon Franz/'Coventry': http://www.zope.org/Members/Coventry
Message: 9
Date: Thu, 08 Feb 2001 07:32:48 -0500
Subject: Re: [Zope-dev] ZSQL using LIKE operator
From: Jens Vagelpohl [EMAIL PROTECTED]
To: "S
Schmidt, Allen J. writes:
how to resolve a query which I need to read:
SELECT * FROM table WHERE keywords LIKE '%keywords_variable%'
dtml-sqltest has 'op=like' and when set to 'type=string' produces the LIKE
operation in the query, with single quotes, but I cannot get it to