[Zope] Dynamic ordering of DTML-IN?
Andrew Kenneth Milton
akm@mail.theinternet.com.au
Wed, 24 Jan 2001 01:10:17 +1000
+-------[ Oliver Bleutgen ]----------------------
| > Then change your Z SQL Method to look like;
|
| > select * from Customers where
| > foofield=<dtml-sqlvar search type=string>
| > <dtml-if orderby>
| > ORDER BY <dtml-var orderby>
| > </dtml-if>
|
| Hmm, I wouldn't do that, you're trusting the client here,
| imagine someone going to
|
| http://yourserver/staff?orderby=firstname%20;%20delete from Customers;
You always validate external input, especially in a web environment.
I didn't think it was necessary to spell that out.
--
Totally Holistic Enterprises Internet| P:+61 7 3870 0066 | Andrew Milton
The Internet (Aust) Pty Ltd | F:+61 7 3870 4477 |
ACN: 082 081 472 ABN: 83 082 081 472 | M:+61 416 022 411 | Carpe Daemon
PO Box 837 Indooroopilly QLD 4068 |akm@theinternet.com.au|