cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Haul <h...@dvs1.informatik.tu-darmstadt.de>
Subject Re: Request parameters for SQL arguments
Date Fri, 06 Dec 2002 14:50:29 GMT
On 06.Dec.2002 -- 03:47 PM, Scherler, Thorsten wrote:
> Sorry, that is much better (use <xsp:expr/>):
> 
> select * From AllTask Where wfID=<xsp:expr><xsp-request:get-parameter name="myID"/></xsp:expr>

Please imagine what happens if myID evaluates to "; update AllTasks set done = 1; --"

IOW you should use <esql:parameter/> around it to have esql use a PreparedStatement.

BTW the xsp:expr is not needed here.

	Chris.
-- 
C h r i s t i a n       H a u l
haul@informatik.tu-darmstadt.de
    fingerprint: 99B0 1D9D 7919 644A 4837  7D73 FEF9 6856 335A 9E08

---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message