[Zope] MySQL LIKE operator

Ron Bickers rbickers@logicetc.com
Wed, 12 Jul 2000 15:10:57 -0400


You should be able to use something like this (untested):

<dtml-var bar sql_quote>

That way you get the SQL quoting without the surrounding quotes.

_______________________

Ron Bickers
Logic Etc, Inc.
rbickers@logicetc.com


> -----Original Message-----
> From: aaronw@c.ict.om.org [mailto:aaronw@c.ict.om.org]
> Sent: Wednesday, July 12, 2000 11:03 AM
> To: zope@zope.org
> Subject: [Zope] MySQL LIKE operator
> 
> 
> Hello,
> 
>     I'm writing a search query to a MySQL database.  I want to keep
> people from screwing around with my database by running searches like ";
> delete from ... yada yada.  So I should use <dtml-sqlvar>, right?  But
> what if I want to use LIKE?
>   If I say:  WHERE goo LIKE "%<dtml-sqlvar name=bar type=string>%"  then
> effectively I am saying: WHERE goo LIKE "%'somestring'%".  In other
> words, it will match only the string with the single quotes.  I hope
> this makes sense.  Has anyone faced a similar problem?
>   Thanks for any help
> 
> --Aaron
> 
> 
> _______________________________________________
> Zope maillist  -  Zope@zope.org
> http://lists.zope.org/mailman/listinfo/zope
> **   No cross posts or HTML encoding!  **
> (Related lists - 
>  http://lists.zope.org/mailman/listinfo/zope-announce
>  http://lists.zope.org/mailman/listinfo/zope-dev )
> 
>