You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Joose Vettenranta <jo...@iki.fi> on 2004/07/22 09:57:54 UTC
Re: [esql] CForm textarea + ESQL=cannot save character ' in the database
Hi,
you should not do INSERT in that way.. It's a way to SQL Injection
attacks.
Every parameter which can be changed by user or a hacker should be
checked and rechecked.
So, do insert like this in ESQL+XSP:
<esql:query>
INSERT INTO tablename (field1, field2) VALUES (
<esql:parameter
type="string"><xsp:expr>value1</xsp:expr></esql:parameter>,
<esql:parameter
type="string"><xsp:expr>value2</xsp:expr></esql:parameter>)
</esql:query>
Check from cocoon site about esql and parameter element for more
information.
HTH, Joose
22.7.2004 kello 11:28, milkwaybridge kirjoitti:
There are some input areas in the page, users input will be saved in
the database.
> I use CForm and ESQL, turned out that user cannot input character ' ,
> because ESQL use it to quote values
> <esql:query> insert into tablename (field1, field2) values
> ('value1','value2') </esql:query>
> now I don't know what to do
> Thanks for your help!!!!!!!!!
--
"Always remember that you are unique, just like everyone else!"
* http://iki.fi/joose/ * joose@iki.fi * +358 44 561 0270 *
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org