You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@cocoon.apache.org by Gajo Csaba <cs...@enyem.com> on 2007/02/21 11:43:05 UTC

Prepared query with ESQL?

Hello,

Is there a way for me to execute a prepared SQL statement? For example,  
something like:

<esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>

It would be quite a security risk if I just used the user-submitted data  
instead of the ? here. Any way to do this?

Thanks, Csaba


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Prepared query with ESQL?

Posted by Gajo Csaba <cs...@enyem.com>.

On Wed, 21 Feb 2007 11:55:51 +0100, Torsten Curdt <tc...@apache.org>  
wrote:
>
> On 21.02.2007, at 11:43, Gajo Csaba wrote:
>
>> Hello,
>>
>> Is there a way for me to execute a prepared SQL statement? For example,  
>> something like:
>>
>> <esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
>>
>> It would be quite a security risk if I just used the user-submitted  
>> data instead of the ? here. Any way to do this?
>
> ESQL always uses prepared statement (also because of that).
> Have a look at <esql:parameter> (IIRC - boy it has been a while)
>
> cheers
> --
> Torsten


Seems to work, thanks!


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org

Re: Prepared query with ESQL?

Posted by Torsten Curdt <tc...@apache.org>.

On 21.02.2007, at 11:43, Gajo Csaba wrote:

> Hello,
>
> Is there a way for me to execute a prepared SQL statement? For  
> example, something like:
>
> <esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
>
> It would be quite a security risk if I just used the user-submitted  
> data instead of the ? here. Any way to do this?

ESQL always uses prepared statement (also because of that).
Have a look at <esql:parameter> (IIRC - boy it has been a while)

cheers
--
Torsten

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org