[Zope-DB] Re: [Zope] ASC / DESC in queries`?

Jim Washington jwashin@vt.edu
Tue, 26 Feb 2002 07:43:19 -0500

Jan Johansson wrote:

>Uhhhhm, dare i ask another question? What is the correct way (if any) to
>insert "Asc"/"Desc" arguments in a SQL statement? using dtml-var migth not
>be clever, since you could insert hostile code, and dtml-sqlvar quotes the
>values so it inserts 'DESC' instead of DESC.
Just do not pass any part of the actual SQL you will use in REQUEST, and 
you should be fine.
Probably easiest in this case would be to pass a flag that means 
ascending, then use some dtml in your ZSQL Method like this, or 
something similar:

<dtml-if sort_order_asc>ASC<dtml-else>DESC</dtml-if>

-- Jim Washington