cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Haul <h...@dvs1.informatik.tu-darmstadt.de>
Subject Re: Using matchers, especially sessionstate...
Date Tue, 12 Nov 2002 11:09:16 GMT
On 11.Nov.2002 -- 03:29 PM, Christian Joelly wrote:
> Hello!
> 
> On Mon, Nov 11, 2002 at 11:17:15AM +0100, Christian Haul wrote:
> > On 07.Nov.2002 -- 09:44 AM, Christian Joelly wrote:
> > > 
> > > thanks for your answer. I'd prefer to use the version 2.0.1 for this
> > > application, because maybe there are some other problems rising when i
> > > switch the cocoon version during development... ;-)
> > 
> > Fair enough. OTOH many issues have been resolved. There should be no
> > change in the user visible interface apart from stuff in scratchpad.
> 
> i'm now working to integrate cocoon 2.0.3 with my application, but i see
> there are some issues that are strange:
> 
> i wrote lots of sql queries in the following manner:
> (as i usual did with other frameworks or dev tools)
> 
> <xsp:logic>
> 	sQuery = "
> 		SELECT DISTINCT
> 			nUserID,
> 			sUserName
> 		FROM
> 			users";
> 
> 	if (sNachname != null) {
> 		sQuery =+ "
> 			WHERE
> 				sNachname LIKE \"" + sNachname + "%\";
> 	}
> 	
> 	<!-- lots of other tests go here... -->	
> 
> </xsp:logic>

Right, this appears to be a bug in Xalan, see
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8734

If you don't use the same type of quotes inside the string it is OK
IIRC. The other option is to use search and replace all \" with '
s/\\"/'/g

Please be aware that the above code may allow a user to substitute
sNachname with a string like '"; close database; drop database somedb;' 
what is probably not intended. Consider using prepared statements like

<esql:query>select distinct nUserID, sUserName from users where
sNachname like <esql:parameter><xsp:expr>sNachname+"%"</xsp:expr></esql:parameter>

	Chris.
-- 
C h r i s t i a n       H a u l
haul@informatik.tu-darmstadt.de
    fingerprint: 99B0 1D9D 7919 644A 4837  7D73 FEF9 6856 335A 9E08

---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message