cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joose Vettenranta <jo...@iki.fi>
Subject Re: [esql] CForm textarea + ESQL=cannot save character ' in the database
Date Thu, 22 Jul 2004 07:57:54 GMT
Hi,

you should not do INSERT in that way.. It's a way to SQL Injection 
attacks.

Every parameter which can be changed by user or a hacker should be 
checked and rechecked.

So, do insert like this in ESQL+XSP:

<esql:query>
  INSERT INTO tablename (field1, field2) VALUES (
  <esql:parameter 
type="string"><xsp:expr>value1</xsp:expr></esql:parameter>,
  <esql:parameter 
type="string"><xsp:expr>value2</xsp:expr></esql:parameter>)
</esql:query>

Check from cocoon site about esql and parameter element for more 
information.

HTH, Joose

22.7.2004 kello 11:28, milkwaybridge kirjoitti:

  There are some input areas in the page, users input will be saved in 
the database.
> I use CForm and ESQL, turned out that user cannot input character ' , 
> because ESQL use it to quote values
> <esql:query> insert into tablename (field1, field2) values 
> ('value1','value2') </esql:query>
> now I don't know what to do
> Thanks for your help!!!!!!!!!
--
"Always remember that you are unique, just like everyone else!"
* http://iki.fi/joose/ * joose@iki.fi * +358 44 561 0270 *


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org


Mime
View raw message