[Zope-DB] Re: [Zope] ASC / DESC in queries`?

Jim Washington jwashin@vt.edu
Tue, 26 Feb 2002 07:43:19 -0500


Jan Johansson wrote:

>Uhhhhm, dare i ask another question? What is the correct way (if any) to
>insert "Asc"/"Desc" arguments in a SQL statement? using dtml-var migth not
>be clever, since you could insert hostile code, and dtml-sqlvar quotes the
>values so it inserts 'DESC' instead of DESC.
>
Just do not pass any part of the actual SQL you will use in REQUEST, and 
you should be fine.
Probably easiest in this case would be to pass a flag that means 
ascending, then use some dtml in your ZSQL Method like this, or 
something similar:

<dtml-if sort_order_asc>ASC<dtml-else>DESC</dtml-if>

-- Jim Washington