[Zope] Accessing a Database
Jim Penny
jpenny@universal-fasteners.com
Thu, 30 May 2002 11:11:57 -0400
On Wed, May 29, 2002 at 07:12:16PM -0700, Stephan Vladimir Bugaj wrote:
> I'm trying to do a "like" query in a database...
>
> I've created a ZSQL thing like this
> select foo,bar from xxx
> <dtml-sqlgroup where>
> <dtml-sqltest ABC op=like type=string>
> </dtml-sqlgroup>
> order by foo
>
simplify, simplify, and safety.
First, an actual working snippet.
select * from brands where brand like '<dtml-var brand sql_quote>%'
Note the sql_quote. It is urgent, if you ever have any, even accidental
exposure to the Internet. ALWAYS use sqlvar or sql_quote. (Yeah, I can
think of some exceptions, but they just pass the work off into a
pre-validation routine.)
Now, this has not been tested, but should work fine:
select foo,bar from xxx
<dtml-if bah>
where baz like '<dtml-var bah sql_quote>%'
</dtml-if>
order by foo
Jim Penny