No, this is bad!! Do NOT do this - it will allow Bad characters in your SQL
query that could allow mischievous people to tamper with your Db and
possibly hack your box
(depending upon what DB you are using, how it is configured, what user it
runs as, etc)
This is the whole reason the dtml-sqlvar tag exists - _Safe_ conversion to
formats usable by 
your DB, including escaping of bad characters.

instead, do This:

SELECT * FROM table WHERE keywords LIKE <dtml-sqlvar "'%' + my_var + '%'"

the expression inside the quotes will handle adding the %'s to the beginning
and end of your string.

Sorry about the correction, but this Can be a big security hazard...

~Jon Franz/'Coventry':

>Message: 9
>Date: Thu, 08 Feb 2001 07:32:48 -0500
>Subject: Re: [Zope-dev] ZSQL using LIKE operator
>From: Jens Vagelpohl <[EMAIL PROTECTED]>
>To: "Schmidt, Allen J." <[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
>just write it out like:
>SELECT * FROM table WHERE keywords LIKE '%<dtml-var name="my_var">%'

Zope-Dev maillist  -  [EMAIL PROTECTED]
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to