On Friday 05 July 2002 07:55 am, Roger Erens wrote:
Hello all,
I would like to choose via a formfield (called 'tablename') which table ('employers' or 'employees') is going to be queried.
I use in my ZSQL Method the following: select * from <dtml-var tablename> because select * from <dtml-sqlvar tablename type=string> results in e.g. select * from 'employees' which results in an sql error because of the quotes.
Any advice with respect to the safety of using the dtml-var, i.e. could the formfield 'tablename' be fiddled with to contain something like 'employees; delete from employees'?
Is there an alternative solution to get rid of the quotes in the dtml-sqlvar?
best regards, Roger Erens
If you use <dtml-var> in a Z SQL method be sure to use the sql_quote option so that characters like ";" and "'" are properly escaped ie: SELECT * FROM <dtml-var tablename sql_quote> hth, -Casey