You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cocoon.apache.org by Gajo Csaba <cs...@enyem.com> on 2007/02/21 11:43:05 UTC
Prepared query with ESQL?
Hello,
Is there a way for me to execute a prepared SQL statement? For example,
something like:
<esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
It would be quite a security risk if I just used the user-submitted data
instead of the ? here. Any way to do this?
Thanks, Csaba
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: Prepared query with ESQL?
Posted by Gajo Csaba <cs...@enyem.com>.
On Wed, 21 Feb 2007 11:55:51 +0100, Torsten Curdt <tc...@apache.org>
wrote:
>
> On 21.02.2007, at 11:43, Gajo Csaba wrote:
>
>> Hello,
>>
>> Is there a way for me to execute a prepared SQL statement? For example,
>> something like:
>>
>> <esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
>>
>> It would be quite a security risk if I just used the user-submitted
>> data instead of the ? here. Any way to do this?
>
> ESQL always uses prepared statement (also because of that).
> Have a look at <esql:parameter> (IIRC - boy it has been a while)
>
> cheers
> --
> Torsten
Seems to work, thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org
Re: Prepared query with ESQL?
Posted by Torsten Curdt <tc...@apache.org>.
On 21.02.2007, at 11:43, Gajo Csaba wrote:
> Hello,
>
> Is there a way for me to execute a prepared SQL statement? For
> example, something like:
>
> <esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
>
> It would be quite a security risk if I just used the user-submitted
> data instead of the ? here. Any way to do this?
ESQL always uses prepared statement (also because of that).
Have a look at <esql:parameter> (IIRC - boy it has been a while)
cheers
--
Torsten
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@cocoon.apache.org
For additional commands, e-mail: users-help@cocoon.apache.org