Search Interface Gone arwy! Red! No, Blue.....ahhhh.....
Here is my search interface and SQL method. search_query: <dtml-var standard_html_header> <form action="search_result" method="get"> <h2><dtml-var document_title></h2> <input name="select_statment" value="select * from courses_description "> <input name="where_statement" value=" where subject = 'ee'"> <input type="SUBMIT" name="SUBMIT" value="Submit Query"> </td></tr> </table> </form> <dtml-var standard_html_footer> search_results: <dtml-var standard_html_header> <dtml-in search_method size=50 start=query_start> <dtml-if sequence-start> <dtml-if previous-sequence> <a href="<dtml-var URL><dtml-var sequence-query >query_start=<dtml-var previous-sequence-start-number>"> (Previous <dtml-var previous-sequence-size> results) </a> </dtml-if previous-sequence> <table border> <tr> <th>SUBJECT</th> <th>COURSE NBR</th> <th>PART</th> <th>TEXT</th> </tr> </dtml-if sequence-start> <tr> <td><dtml-var SUBJECT></td> <td><dtml-var COURSE_NBR></td> <td><dtml-var PART></td> <td><dtml-var TEXT></td> </tr> <dtml-if sequence-end> </table> <dtml-if next-sequence> <a href="<dtml-var URL><dtml-var sequence-query >query_start=<dtml-var next-sequence-start-number>"> (Next <dtml-var next-sequence-size> results) </a> </dtml-if next-sequence> </dtml-if sequence-end> <dtml-else> There was no data matching this <dtml-var title_or_id> query. </dtml-in> <dtml-var standard_html_footer> Z_SQL_method(search_method): <dtml-with search_query> <dtml-call "REQUEST.set('left', select_statment + where_statement)"> </dtml-with> <dtml-var left> What I am trying to do is concatenate select_statment and where_statement , into a single statement known as left. There will be more parameters when I get this to work. Then, I want to use left, which would be a valid SQL statement, and throw it at my Z SQL method. I don't understand why I can't accomplish this, it doesn't seem like it should be difficult to me. Thank you for reading this and thanks in advance for any help. -Sean -- Sean G. Richards : Web Technician/Treasurer PLUG Purdue University : Engineering Computing Network seangr@purdue.edu :
Wow, wow, very interesting! On Thu, 20 Jul 2000, Sean G Richards wrote:
<form action="search_result" method="get"> <h2><dtml-var document_title></h2> <input name="select_statment" value="select * from courses_description "> <input name="where_statement" value=" where subject = 'ee'"> <input type="SUBMIT" name="SUBMIT" value="Submit Query"> </td></tr> </table> </form>
Plese send me the real URL of the form ASAP. I will download the page, replace "select *" with "DELET FROM" and submit the form! Never saw nicer security hole! :) Oleg. (All opinions are mine and not of my employer) ---- Oleg Broytmann Foundation for Effective Policies phd@phd.russ.ru Programmers don't die, they just GOSUB without RETURN.
participants (2)
-
Oleg Broytmann -
Sean G Richards