cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ugo Cei <...@apache.org>
Subject Re: SQL Transformer - how to prevent injecting?
Date Fri, 12 Nov 2004 20:03:00 GMT
Il giorno 12/nov/04, alle 17:58, Ilya Vyatkin ha scritto:

> As I see using <esql:parameter> needs stored procedure support.. but we
> haven't it there.

No, it doesn't, unless I'm horribly mistaken. It's been a while since I 
last used ESQL, but I can recall from memory that I used to do:

<esql:query>
   select * from tab where id = 
<esql:parameter><xsp:expr>foobar</xsp:expr></esql:parameter>
</esql:query>

which causes the logicsheet to use a PreparedStatement and bind 
parameters instead of literals.

	Ugo

-- 
Ugo Cei - http://beblogging.com/

Mime
View raw message