cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Heidl <he...@zib.de>
Subject Re: cannot get ESQL to work... urgent
Date Thu, 14 Sep 2000 10:38:39 GMT
Donald Ball wrote:
> 
> On Wed, 13 Sep 2000, Viktors Rotanovs wrote:
> 
> > And, remember, if you will pass variables from requests directly
> > to sql queries, escape them first, otherwise site will be vulnerable to
> > all sorts of attacks.
> 
> ooh, that's a really good idea. i wonder if we should add a wrapper
> element function to the esql namespace:
> 
> <esql:query>
>  select id,name from employee_table where id =
>  <esql:safe-var><request:get-parameter name="id"/></esql:safe-var>
> </esql:query>
> 
> you got any ideas on what the safe-var function would check for?

it should escape all single quotes, so it is not
possible to inject extra SQL commands in the query string.

Sebastian

Mime
View raw message