cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Donald Ball <>
Subject Re: cannot get ESQL to work... urgent
Date Wed, 13 Sep 2000 03:15:48 GMT
On Wed, 13 Sep 2000, Viktors Rotanovs wrote:

> And, remember, if you will pass variables from requests directly
> to sql queries, escape them first, otherwise site will be vulnerable to
> all sorts of attacks.

ooh, that's a really good idea. i wonder if we should add a wrapper
element function to the esql namespace:

 select id,name from employee_table where id = 
 <esql:safe-var><request:get-parameter name="id"/></esql:safe-var>

you got any ideas on what the safe-var function would check for?

- donald

View raw message