[Zope] Search Interface Gone arwy! Red! No, Blue.....ahhhh.....

2000-07-20 Thread Sean G Richards 


Here is my search interface and SQL method.

search_query:

dtml-var standard_html_header

form action="search_result" method="get"
h2dtml-var document_title/h2
input name="select_statment" value="select * from courses_description
"
input name="where_statement" value=" where subject = 'ee'"
input type="SUBMIT" name="SUBMIT" value="Submit Query"
/td/tr
/table
/form
dtml-var standard_html_footer

search_results:

dtml-var standard_html_header
dtml-in search_method size=50 start=query_start
   dtml-if sequence-start

  dtml-if previous-sequence

a href="dtml-var URLdtml-var sequence-query
 query_start=dtml-var
 previous-sequence-start-number"
(Previous dtml-var previous-sequence-size results)
/a

  /dtml-if previous-sequence

  table border
tr
  thSUBJECT/th
  thCOURSE NBR/th
  thPART/th
  thTEXT/th
/tr

   /dtml-if sequence-start

tr
  tddtml-var SUBJECT/td
  tddtml-var COURSE_NBR/td
  tddtml-var PART/td
  tddtml-var TEXT/td
/tr

   dtml-if sequence-end

  /table
  dtml-if next-sequence

 a href="dtml-var URLdtml-var sequence-query
query_start=dtml-var
next-sequence-start-number"
 (Next dtml-var next-sequence-size results)
 /a

  /dtml-if next-sequence
   /dtml-if sequence-end

dtml-else

  There was no data matching this dtml-var title_or_id query.

/dtml-in

dtml-var standard_html_footer

Z_SQL_method(search_method):

dtml-with search_query
dtml-call "REQUEST.set('left', select_statment + where_statement)"
/dtml-with
dtml-var left

What I am trying to do is concatenate select_statment and
where_statement , into a single statement known
as left.   There will be more parameters when I get this to work.  Then,
I want to use left, which would be a valid SQL statement, and throw it
at my Z SQL method.  I don't
understand why I can't accomplish this, it doesn't seem like it should
be difficult to me.  Thank you for reading this and thanks in advance
for any help.

-Sean


--
Sean G. Richards  : Web Technician/Treasurer PLUG
Purdue University : Engineering Computing Network
[EMAIL PROTECTED] :




___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )

Re: [Zope] Search Interface Gone arwy! Red! No, Blue.....ahhhh.....

2000-07-20 Thread Oleg Broytmann 

Wow, wow, very interesting!

On Thu, 20 Jul 2000, Sean G Richards wrote:
 form action="search_result" method="get"
 h2dtml-var document_title/h2
 input name="select_statment" value="select * from courses_description
 "
 input name="where_statement" value=" where subject = 'ee'"
 input type="SUBMIT" name="SUBMIT" value="Submit Query"
 /td/tr
 /table
 /form

   Plese send me the real URL of the form ASAP. I will download the page,
replace "select *" with "DELET FROM" and submit the form!
   Never saw nicer security hole! :)

Oleg.(All opinions are mine and not of my employer)
 
Oleg Broytmann  Foundation for Effective Policies  [EMAIL PROTECTED]
   Programmers don't die, they just GOSUB without RETURN.


___
Zope maillist  -  [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-announce
 http://lists.zope.org/mailman/listinfo/zope-dev )