[Zope-DB] escaping punctuation in formulator
charlie at begeistert.org
Tue Feb 3 12:28:10 EST 2004
On 2004-02-03 at 16:26:22 [+0100], Marie Robichon wrote:
> How do I escape single quotes and '(' or ')' characters passed from my
> Formulator form to my SQLmethod ??
> If I don't escape them explicitly, formulator adds two single quotes around
> my value and I get a 'quoted string incorrectly terminated error' (or
> something like that).
> It is particularly tricky since I have a '<dtml-in><dtml-var
> sequence-item>;</dtml-in>' construct within my sql method in order to
> extract values from mutlicheckboxes and feed them into one column in my
> oracle db.
mm, this sounds like a Formulator issue. Formulator was one of those things
I was going to look at some day but found it was more complex to change the
rendering than to make forms manually... but I guess this is more down to my
still not being very familiar with working with Zope products.
I would, however, strongly advise using any DTML in ZSQL apart from
<dtml-sqlvar> and <dtml-if>. It makes the code much more difficult to work
with when trying to work out whether you've got an SQL or programming error.
Surely, you can do the looping stuff in a nice, clean PythonScript which
calls the appropriate ZSQL methods? You can also check what Formulator is
generating at this point and make changes if necessary.
I've never had any problems with <dtml-sqlvar> quoting any kind values with
PostgreSQL or MySQL but it a driver error is possible.
More information about the Zope-DB