cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joose Vettenranta <>
Subject Re: [esql] CForm textarea + ESQL=cannot save character ' in the database
Date Thu, 22 Jul 2004 07:57:54 GMT

you should not do INSERT in that way.. It's a way to SQL Injection 

Every parameter which can be changed by user or a hacker should be 
checked and rechecked.

So, do insert like this in ESQL+XSP:

  INSERT INTO tablename (field1, field2) VALUES (

Check from cocoon site about esql and parameter element for more 

HTH, Joose

22.7.2004 kello 11:28, milkwaybridge kirjoitti:

  There are some input areas in the page, users input will be saved in 
the database.
> I use CForm and ESQL, turned out that user cannot input character ' , 
> because ESQL use it to quote values
> <esql:query> insert into tablename (field1, field2) values 
> ('value1','value2') </esql:query>
> now I don't know what to do
> Thanks for your help!!!!!!!!!
"Always remember that you are unique, just like everyone else!"
* * * +358 44 561 0270 *

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message