[Zope] Parameterizing dtml-sqltest's column?

Richard Wesley hawkfish@electricfish.com
Fri, 25 Oct 2002 14:49:53 -0700


At 9:52 PM +0200 10/25/02, Dieter Maurer wrote:
>Richard Wesley writes:
>  > ...
>  >          <dtml-sqltest Value column="_.getitem('sequence-item')" 
>type=string>
>  > ...
>  > But this expands to having the column equal to the literal text
>  > "_.getitem('sequence-item')", i.e. no interpretation is done.
>  >
>  > Is there a way to do this or do I have to leave all my SQL unprotected?
>"dtml-sqltest" does not provide such a way (you can extend it
>along the line of other "XXX_expr" attributes. You find examples,
>e.g. in "Products/MailHost/SendMailTag").
>
>You can however use the more elementary "dtml-sqlvar".
>
>   The above "dtml-sqltest", e.g., can be emulated by:
>
>     <dtml-var expr="_.getitem('sequence-item')" sql_quote>
>        = <dtml-sqlvar Value type=string>
>
>Be careful about security!

Thank you Dieter.  I have to say that after I posted this, I checked 
my code and I am in fact using dtml-sqlvar, so I should be OK.  It 
would just have been nice to be able to use the multiple tag.
Sincerely,

Richard Wesley
Co-President, Electric Fish, Inc.
<http://www.electricfish.com/>
(v) +1-206-493-1690x210
(f) +1-206-493-1697