cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Howard <>
Subject Re: binding params in dynamic queries in ESQL
Date Fri, 05 Mar 2004 21:45:48 GMT
Geoff Howard wrote:

> How are you protecting against SQL Injection attacks?
> <esql:query>select * from foo where foo.x = 
> '<xsp-request:get-parameter name="bar"/>'</esql:query>
> if you take myVar in any way from a request parameter, what happens if 
> I pass in a value like bar=abc;delete%20from%20foo (try it on your app).

Oops, changed my example without changing all references - myVar is 
supposed to be bar obviously.

I don't have many soapboxes but this is one of them - I have inherited 
applications crippled by problems like this.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message