cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joose Vettenranta <jo...@iki.fi>
Subject Re: XSP : store the result of the ESQL query
Date Tue, 18 May 2004 07:59:59 GMT
This is bad query.

better is to use tools we have.. So query should be written like this:

<esql:query>
  SELECT rub_position FROM m_rub_player_ope WHERE player_url_name = 
<esql:parameter 
type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter> 
ORDER BY rub_position LIMIT 1
</esql:query>

Now it is escaped and prevents sql-injection what the original query 
did not do.

HTH,

Joose

18.5.2004 kello 10:49, Olivier Billard kirjoitti:

  Hi homonym,
>
> This solution works "if it works" !
> But if the first query fails, you'll get an unexpected result for the 
> second query if maxpos is not initialized...
> Remember that queries can be embedded in each other :
>
> sql = "SELECT rub_position FROM m_rub_player_ope WHERE player_url_name 
> = '"+player_url_name+"' ORDER BY rub_position LIMIT 1";
> <esql:connection>
> <esql:pool>my_pool</esql:pool>
> <esql:execute-query>
> <esql:query><xsp:expr>sql</xsp:expr></esql:query>
> <esql:results>
> <esql:row-results>
> <xsp:logic>
> maxpos = <esql:get-int column="rub_position"/>;
> maxpos = maxpos + 10;
>
> <esql:execute-query>
> <esql:query>
> INSERT INTO m_rub_player_ope 
> (rub_id,player_url_name,ope_url_name,rub_display,rub_position)
> VALUES (
> <esql:parameter 
> type="string"><xsp:expr>rub_id</xsp:expr></esql:parameter>,
> <esql:parameter 
> type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter>,
> <esql:parameter 
> type="string"><xsp:expr>ope_url_name</xsp:expr></esql:parameter>,
> <esql:parameter type="string">oui</esql:parameter>,
> '<xsp:expr>maxpos</xsp:expr>');
> </esql:query>
> <esql:error-results><message>Error during 
> Insert</message></esql:error-results>
> <esql:update-results>
> <esql:get-update-count/><message continuer="do-list-rub.html">Your 
> record is adding ya can click on </message>
> </esql:update-results>
> </esql:execute-query>
>
> </xsp:logic>
> </esql:row-results>
> </esql:results>
> </esql:execute-query>
> <esql:error-results>
>   // deal with errors here
> </esql:error-results>
> </esql:connection>
>
> HTH,
> --
> Olivier Billard
>
>
> olivier demah wrote:
>> olivier demah a e'crit :
>>> Hi,
>>> i would like to know if i can store the result of an ESQL query in a 
>>> variable to be reused in another ESQL query later in the same XSP ?
>>>
>>> regards
>> here is the solution :
>> sql = "SELECT rub_position FROM m_rub_player_ope WHERE 
>> player_url_name = '"+player_url_name+"' ORDER BY rub_position LIMIT 
>> 1";
>> <esql:connection>
>> <esql:pool>my_pool</esql:pool>
>> <esql:execute-query>
>> <esql:query><xsp:expr>sql</xsp:expr></esql:query>
>> <esql:results>
>> <esql:row-results>
>> <xsp:logic>
>> maxpos = <esql:get-int column="rub_position"/>;
>> maxpos = maxpos + 10;
>> </xsp:logic>
>> </esql:row-results>
>> </esql:results>
>> </esql:execute-query>
>> <esql:execute-query>
>> <esql:query>
>> INSERT INTO m_rub_player_ope 
>> (rub_id,player_url_name,ope_url_name,rub_display,rub_position)
>> VALUES (
>> <esql:parameter 
>> type="string"><xsp:expr>rub_id</xsp:expr></esql:parameter>,
>> <esql:parameter 
>> type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter>,
>> <esql:parameter 
>> type="string"><xsp:expr>ope_url_name</xsp:expr></esql:parameter>,
>> <esql:parameter type="string">oui</esql:parameter>,
>> '<xsp:expr>maxpos</xsp:expr>');
>> </esql:query>
>> <esql:error-results><message>Error during 
>> Insert</message></esql:error-results>
>> <esql:update-results>
>> <esql:get-update-count/><message continuer="do-list-rub.html">Your 
>> record is adding ya can click on </message>
>> </esql:update-results>
>> </esql:execute-query>
>> </esql:connection>
>> thanks to steve_k on #cocoon@freenode.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
> For additional commands, e-mail: users-help@cocoon.apache.org
>
>
--
"Always remember that you are unique, just like everyone else!"
* http://iki.fi/joose/ * joose@iki.fi * +358 44 561 0270 *


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message