sqltest just creates the full string of the where clause segment
for the test using the same kind of 'safe' sql-string logic as
sqlvar: so you should be able to replace the value to test against
with any valid python expression, such as the one below where
the % operators are concatenated onto the variable holding the
value you want to test against. :)
As for the difference between <dtml-sqlvar> and <dtml-var sqlquote>
(in case anyone is confused), an sqlvar tag requires a
type value and will not only perform an sqlquote on the value
being inserted into the statement, but will do any/all type
conversion/stripping (letters from numeric values, etc) needed
based upon the requested type.
If anyone is concerned/puzzled by the security hazards I listed
below, here is a URL describing problems associated with bad data
used within queries and a mysql DB:
See the bullet point beginning with 'Do not trust any data entered by
Sorry if I seemed harsh in my original post, but security is my
bread and butter, so I may tend to be Loud when I see something
PS: In order to increase the safety of ZSQLMethods, maybe the basic
<dtml-var> tag should be made illegal inside it? (forced usage
of the safe form would break some existent code, possibly, but
would avoid confusion such as this in general - and thus be safer)
> -----Original Message-----
> From: Schmidt, Allen J. [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 09, 2001 7:01 AM
> To: 'Jon Franz'; '[EMAIL PROTECTED]'
> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
> Got it. Making the change now. Thanks for keeping an eye on
> this thread.
> What about the sqltest suggestion on posted on this thread?
> Or do sqltest
> and sqlvar handle DB calls in a similar fashion?
>> -----Original Message-----
>> From: Jon Franz [mailto:[EMAIL PROTECTED]]
>> Sent: Thursday, February 08, 2001 3:54 PM
>> To: '[EMAIL PROTECTED]'
>> Subject: Bad: Re: [Zope-dev] ZSQL using LIKE operator
>> No, this is bad!! Do NOT do this - it will allow Bad
Zope-Dev maillist - [EMAIL PROTECTED]
** No cross posts or HTML encoding! **
(Related lists -