cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From olivier demah <ode...@messagio.com>
Subject Re: Conditionnal esql-query ?
Date Mon, 05 Apr 2004 15:23:49 GMT
Christopher Painter-Wakefield wrote:

>
>
>Because you can't :)
>
>Keep in mind what is really happening here.  The ESQL logicsheet is turning
>all of this into java code.  What kind of java code probably happens with
>the esql:query tag?  Well, it probably needs to obtain a String which it
>can then pass into JDBC as the query, righ?.  Now, try this in java:
>
>String query = if (...) { ... } else { ... }
>
>See the problem?
>
>However, the problem suggests the solution.  You CAN do it, but only if you
>make your if/else into an expression, using the question mark operator,
>e.g.,
>
><xsp:expr>(id_blog_news == null) ? ... : ... </xsp:expr>
>
>
>Better, though is to just pull the entire query and if/else block outside
>the esql code, e.g.,
>
>String sql;
>if (id_blog_news == null) {
>      sql = "SELECT .....";
>} else {
>      sql = ....
>}
>
>then you can do
><esql:query>
>      <xsp:expr>sql</xsp:expr>
></esql:query>
>
>
>You can also put your if-else around the entire esql:execute-query block,
>that is, you can have one esql:connection around all of your individual
>queries, for what small savings in code that is.
>
>Finally, though, keep in mind that your dynamic SQL code potentially
>provides opportunities for hackers to modify your SQL in ways you did not
>intend by what they supply in the request parameters.  So you might be
>better off going back to your first code that does an if/else around the
>whole SQL block, and using <esql:parameter> instead of inlining SQL using
><xsp:expr>.
>
>-Christopher
>
>
>
>
>
>|---------+---------------------------->
>|         |           olivier demah    |
>|         |           <odemah@messagio.|
>|         |           com>             |
>|         |                            |
>|         |           04/05/2004 10:53 |
>|         |           AM               |
>|         |           Please respond to|
>|         |           users            |
>|         |                            |
>|---------+---------------------------->
>  >--------------------------------------------------------------------------------------------------------------|
>  |                                                                                  
                           |
>  |       To:       users@cocoon.apache.org                                          
                           |
>  |       cc:                                                                        
                           |
>  |       Subject:  Conditionnal esql-query ?                                        
                           |
>  >--------------------------------------------------------------------------------------------------------------|
>
>
>
>
>....
>this one is not ok :
>
><blog_addnews>
><xsp:logic>
>String id_blog_user = request.getParameter("id_blog_user");
>String id_blog_news = request.getParameter("id_blog_news");
>if ( id_blog_user == null) {
>    id_blog_user = <xsp-session-fw:getxml context="authentication"
>as="string" path="/authentication/data/id_blog_user"/> ;
>}
>
>
>    <esql:connection>
>        <esql:pool>mblog_pg</esql:pool>
>
>        <esql:execute-query>
>            <esql:query>
>             if (id_blog_news == null) {
>                SELECT * FROM blog_news WHERE blog_news.id_blog_user =
>'<xsp:expr>id_blog_user</xsp:expr>'
>              } else {
>                SELECT * FROM blog_news WHERE blog_news.id_blog_user =
>'<xsp:expr>id_blog_user</xsp:expr>' AND id_blog_news =
>'<xsp:expr>id_blog_news</xsp:expr>'
>              }
>           </esql:query>
>            <esql:results>
>                <esql:row-results>
>                <blog_new>
>                    <id_blog_news><esql:get-int
>column="id_blog_news"/></id_blog_news>
>                    <id_blog_user><esql:get-string
>column="id_blog_user"/></id_blog_user>
>                    <news_title><esql:get-string
>column="news_title"/></news_title>
>                    <news_text><esql:get-string
>column="news_text"/></news_text>
>                    <news_image><esql:get-string
>column="news_image"/></news_image>
>                    <news_date_creation><esql:get-string
>column="news_date_creation"/></news_date_creation>
>                    <news_date_modify><esql:get-string
>column="news_date_modify"/></news_date_modify>
>
>                </blog_new>
>                </esql:row-results>
>            </esql:results>
>        </esql:execute-query>
>    </esql:connection>
></xsp:logic>
></blog_add>
>
>
>but why cant i just do a simple if just on the esql-query part ?
>
>  
>
i understand everything :-)
thx

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message