5 Jul
2002
5 Jul
'02
11:55 a.m.
Hello all, I would like to choose via a formfield (called 'tablename') which table ('employers' or 'employees') is going to be queried. I use in my ZSQL Method the following: select * from <dtml-var tablename> because select * from <dtml-sqlvar tablename type=string> results in e.g. select * from 'employees' which results in an sql error because of the quotes. Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'? Is there an alternative solution to get rid of the quotes in the dtml-sqlvar? best regards, Roger Erens