cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Ball <ba...@webslingerZ.com>
Subject Re: cannot get ESQL to work... urgent
Date Wed, 13 Sep 2000 03:15:48 GMT
On Wed, 13 Sep 2000, Viktors Rotanovs wrote:

> And, remember, if you will pass variables from requests directly
> to sql queries, escape them first, otherwise site will be vulnerable to
> all sorts of attacks.

ooh, that's a really good idea. i wonder if we should add a wrapper
element function to the esql namespace:

<esql:query>
 select id,name from employee_table where id = 
 <esql:safe-var><request:get-parameter name="id"/></esql:safe-var>
</esql:query>

you got any ideas on what the safe-var function would check for?

- donald


Mime
View raw message