30 Jan
2003
30 Jan
'03
12:35 p.m.
On Thu, Jan 30, 2003 at 12:21:55PM +0000, Ben Avery wrote:
Eugen,
you can't easily do what you're trying to, safely. the <dtml-sqlvar ...> was created so that the variable substitution methods couldn't be maliciously used by people passing in a paramter of e.g. "3;drop database mydb", which would terminate the first sql statement, then make a new arbitrary one.
I am aware of that.
personally, I have a created a method for each table, e.g. delete from employee where <dtml-sqltest emp_id multiple>
It is a pain to do this, but it's the only way without opening up your> system to major risks.
My application is one like Webmin or PHPMyAdmin, so it must be generic! -- ICQ: 165549179