[Zope] safe strings in calling SQL

Dieter Maurer dieter@handshake.de
Fri, 20 Jul 2001 21:03:56 +0200 (CEST)


Reinoud van Leeuwen writes:
 > I does not seem to be very safe to use a construct like
 > 
 > select record
 > from table
 > where field like "%<dtml-var string_from_form>"
Use '<dtml-var string_from_form sql_quote>'.


Dieter