I'm writing a search query to a MySQL database.  I want to keep
people from screwing around with my database by running searches like ";
delete from ... yada yada.  So I should use <dtml-sqlvar>, right?  But
what if I want to use LIKE?
  If I say:  WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%"  then
effectively I am saying: WHERE goo LIKE "%'somestring'%".  In other
words, it will match only the string with the single quotes.  I hope
this makes sense.  Has anyone faced a similar problem?
  Thanks for any help


Zope maillist  -  [EMAIL PROTECTED]
**   No cross posts or HTML encoding!  **
(Related lists - 
 http://lists.zope.org/mailman/listinfo/zope-dev )

Reply via email to