On Thu, Jan 30, 2003 at 01:33:15PM +0100, Dieter Fischer wrote:
Hello
This is an example of exUserFolder, it should also work for your problem:
Arguments:
table=adressen usernameColumn=dbusername username:string
SQL:
DELETE FROM <dtml-var table> where <dtml-var usernameColumn>=<dtml-sqlvar username type=string>
Better would be, in that it still prevent s SQL injection: DELETE FROM <dtml-var table sql_quote> where <dtml-var usernameColumn sql_quote>=<dtml-sqlvar username type=string> But, I agree with everyone else in this thread. This is a horrid design; suitable for use only inside a firewall with a highly trusted audience. It is far better to write many controllable and auditable SQL methods than a few generalized ones that cannot be trusted. And I do not really buy the "it must be general" idea. That would be true only if you are allowing end users to create new tables, and then you would not know enough of the structure to present the results of a select, anyway. Jim Penny