5 Jul
2002
5 Jul
'02
9:28 p.m.
Roger Erens writes:
Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'?
Is there an alternative solution to get rid of the quotes in the dtml-sqlvar? I would pass a code (e.g. "1", "2", ...) and resolve the code into a table name inside the ZSQL with a "_.test" call (see DTML reference).
Dieter