Hello,
I'm writing a search query to a MySQL database. I want to keep
people from screwing around with my database by running searches like ";
delete from ... yada yada. So I should use <dtml-sqlvar>, right? But
what if I want to use LIKE?
If I say: WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%" then
effectively I am saying: WHERE goo LIKE "%'somestring'%". In other
words, it will match only the string with the single quotes. I hope
this makes sense. Has anyone faced a similar problem?
Thanks for any help
--Aaron
_______________________________________________
Zope maillist - [EMAIL PROTECTED]
http://lists.zope.org/mailman/listinfo/zope
** No cross posts or HTML encoding! **
(Related lists -
http://lists.zope.org/mailman/listinfo/zope-announce
http://lists.zope.org/mailman/listinfo/zope-dev )