26 Feb
2002
26 Feb
'02
12:43 p.m.
Jan Johansson wrote:
Uhhhhm, dare i ask another question? What is the correct way (if any) to insert "Asc"/"Desc" arguments in a SQL statement? using dtml-var migth not be clever, since you could insert hostile code, and dtml-sqlvar quotes the values so it inserts 'DESC' instead of DESC.
Just do not pass any part of the actual SQL you will use in REQUEST, and you should be fine. Probably easiest in this case would be to pass a flag that means ascending, then use some dtml in your ZSQL Method like this, or something similar: <dtml-if sort_order_asc>ASC<dtml-else>DESC</dtml-if> -- Jim Washington