[Zope-DB] escaping punctuation in formulator

Charlie Clark charlie at begeistert.org
Tue Feb 3 12:28:10 EST 2004

On 2004-02-03 at 16:26:22 [+0100], Marie Robichon wrote:
> Hi,
> How do I escape single quotes and '(' or ')' characters passed from my
> Formulator form to my SQLmethod ??
> If I don't escape them explicitly, formulator adds two single quotes around
> my value and I get a 'quoted string incorrectly terminated error' (or
> something like that).
> It is particularly tricky since I have a '<dtml-in><dtml-var
> sequence-item>;</dtml-in>' construct within my sql method in order to
> extract values from mutlicheckboxes and feed them into one column in my
> oracle db.

mm, this sounds like a Formulator issue. Formulator was one of those things 
I was going to look at some day but found it was more complex to change the 
rendering than to make forms manually... but I guess this is more down to my 
still not being very familiar with working with Zope products.

I would, however, strongly advise using any DTML in ZSQL apart from 
<dtml-sqlvar> and <dtml-if>. It makes the code much more difficult to work 
with when trying to work out whether you've got an SQL or programming error. 
Surely, you can do the looping stuff in a nice, clean PythonScript which 
calls the appropriate ZSQL methods? You can also check what Formulator is 
generating at this point and make changes if necessary.

I've never had any problems with <dtml-sqlvar> quoting any kind values with 
PostgreSQL or MySQL but it a driver error is possible.


More information about the Zope-DB mailing list