[Zope] question about forms and zsql

Thomas B. Passin tpassin@mitretek.org
Wed, 13 Feb 2002 16:01:46 -0500


[Dieter Maurer]> Thomas B. Passin writes:
>  > ....
>  > select * from table where name like '%&dtml-searchphrase;%'
> Please do not forget "sql_quote" inside SQL strings.
> Otherwise, some malicious user may play havoc with your database
> (by closing the string, adding a very bad SQL command in which the
> string is reopened).
>
>  > ...
>  > Finally, if  the searchphrase value might have quotes in it, make sure
to
>  > use the sql quoting option (check the docs for the exact syntax).
> Do it, even when you think, there should be no quotes...
>

Amen...

Tom P