Hi Christian! On Tue, Nov 12, 2002 at 12:09:16PM +0100, Christian Haul wrote: > Please be aware that the above code may allow a user to substitute > sNachname with a string like '"; close database; drop database somedb;' > what is probably not intended. Consider using prepared statements like > > <esql:query>select distinct nUserID, sUserName from users where > sNachname like <esql:parameter><xsp:expr>sNachname+"%"</xsp:expr></esql:parameter>
unfortunately there are lots of sql statements that depend on some
filters and other logic, so it's hard to implement dyn sql statements
with prepared statements...
another thing:
i have troubles with the GET parameters with cocoon 2.0.3:
the first value of a multivalued parameter occurs as the first AND the
last element of this parameter ("s_kst"):
METHOD: GET
CONTENT LENGTH: 0
PROTOCOL: HTTP/1.1
SCHEME: http
AUTH TYPE: null
CURRENT ACTIVE REQUESTS: 1
REQUEST PARAMETERS:
PARAM: 'Speichern' VALUES: '[Speichern]'
PARAM: 's_kst' VALUES: '[4100], [4232], [4233], [4234], [4235], [4236], [4100]'
PARAM: 'auftrag' VALUES: '[]'
PARAM: 'timestamp' VALUES: '[1037641279723]'
HEADER PARAMETERS:
PARAM: 'cookie' VALUES: '[JSESSIONID=qtpqzy4ho2]'
PARAM: 'connection' VALUES: '[keep-alive]'
PARAM: 'accept-encoding' VALUES: '[gzip, deflate, compress;q=0.9]'
PARAM: 'referer' VALUES:
'[http://edvlw05.knapp.intern/knapp/reports/options.xsp?auftrag=&li=&lit=&litpos=]'
PARAM: 'accept' VALUES:
'[text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,video/x-mng,image/png,image/jpeg,image/gif;q=0.2,text/css,*/*;q=0.1]'
PARAM: 'content-length' VALUES: '[0]'
PARAM: 'accept-charset' VALUES: '[ISO-8859-1, utf-8;q=0.66, *;q=0.66]'
PARAM: 'user-agent' VALUES: '[Mozilla/5.0 Galeon/1.2.6 (X11; Linux i686; U;)
Gecko/20020913 Debian/1.2.6-2]'
PARAM: 'keep-alive' VALUES: '[300]'
PARAM: 'host' VALUES: '[edvlw05.knapp.intern]'
SESSION ATTRIBUTES:
PARAM: 'report' VALUE: ''
PARAM: 'etft' VALUE: ''
are there issues with this cocoon version and GET requests? with 2.0.1 i
can't use POST, because there that way was broken...
thx, Chris
--
KNAPP Logistics Automation http://www.knapp.com
Ing. Christian J�lly Tel/FAX: (++43) 316 / 495 1926 / 495 394
G�nter-Knapp-Stra�e 5-7 A-8075 Hart bei Graz
-- Support your government, give Echelon/Carnivore something to parse --
AMTAS ATMD ATSC Abdullah Allah communist CIA DD2-N DISA DoD GRU Gregori
Irak Iran KGB Kurdish LSD NATO NSTD Natasha ORD RTEM Russia STRAP
Saddam Hussein TSP Yugoslavia attack bank bomb classfield cocain
compromise defense democracy destroy destruct detonator directorate
elections enforce extasy force foreign embassy government grass hashish
heroin illegal information international military systems missile
million dollars nuclear policital pot power presidental project
restricted data revolution rule the world sensitive smuggle spy steal
system takeover terrorist top-secret warmod warrior-T weapon weed
------------------------------------------------------------------------
msg20733/pgp00000.pgp
Description: PGP signature
