23 Aug
2001
23 Aug
'01
10:51 p.m.
Andreas Heckel wrote:
I have tried some another ways to access the query: select * from table_name where table_field2='<dtml-sqlvar> argument2 type=string>'; ... I need the Help. Every comments can help me. Thanks.
select * from table_name where table_field2='<dtml-var argument2>'
or
select * from table_name where table_field2='<dtml-var "_.str(argument2)">'
ACK! no, no, no don't use <dtml-var> in a sql method, use <dtml-sqlvar>. What if argument2 was set to "43;drop database mydatabase" ? yep you'd get a select but your database would be erased. <dtml-sqlvar> does checks to keep this type of attack from happening -- Tom Jenkins devIS - Development Infostructure http://www.devis.com