14 Aug
2001
14 Aug
'01
7:16 p.m.
Andy Dustman writes:
... SELECT ... <dtml-var doOrderBy>
However, nothing stops a malicious user from passing in doOrderBy on the form, which may do Very Bad Things. But, due to the DTML namespace, the client object is always on top of REQUEST, so any passed-in doOrderBy will not be seen (unless using <dtml-with REQUEST only>). Do not be afraid:
Only the arguments you specified in the argument list are taken from REQUEST. All other variables must be available via acquisition or a bad request exception is raised. Dieter