Return-Path: <balld@webslingerZ.com>
Mailing-List: contact cocoon-users-help@xml.apache.org; run by ezmlm
Delivered-To: mailing list cocoon-users@xml.apache.org
Received: (qmail 1580 invoked from network); 13 Sep 2000 18:00:18 -0000
Received: from unknown (HELO ma7.webslingerZ.com) (216.27.73.7)
  by locus.apache.org with SMTP; 13 Sep 2000 18:00:18 -0000
Received: by ma7.webslingerZ.com (Postfix, from userid 501)
	id EAA6348BC; Tue, 12 Sep 2000 23:15:48 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1])
	by ma7.webslingerZ.com (Postfix) with ESMTP id 898D56087
	for <cocoon-users@xml.apache.org>; Tue, 12 Sep 2000 23:15:48 -0400 (EDT)
Date: Tue, 12 Sep 2000 23:15:48 -0400 (EDT)
From: Donald Ball <balld@webslingerZ.com>
X-Sender: balld@localhost.localdomain
To: cocoon-users@xml.apache.org
Subject: Re: cannot get ESQL to work... urgent
In-Reply-To: <00091304373100.06481@viktors.riga.nu>
Message-ID: <Pine.LNX.4.21.0009122314300.6948-100000@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

On Wed, 13 Sep 2000, Viktors Rotanovs wrote:

> And, remember, if you will pass variables from requests directly
> to sql queries, escape them first, otherwise site will be vulnerable to
> all sorts of attacks.

ooh, that's a really good idea. i wonder if we should add a wrapper
element function to the esql namespace:

<esql:query>
 select id,name from employee_table where id = 
 <esql:safe-var><request:get-parameter name="id"/></esql:safe-var>
</esql:query>

you got any ideas on what the safe-var function would check for?

- donald