On 06.Dec.2002 -- 03:47 PM, Scherler, Thorsten wrote:
> Sorry, that is much better (use <xsp:expr/>):
>
> select * From AllTask Where wfID=<xsp:expr><xsp-request:get-parameter
>name="myID"/></xsp:expr>
Please imagine what happens if myID evaluates to "; update AllTasks set done = 1; --"
IOW you should use <esql:parameter/> around it to have esql use a PreparedStatement.
BTW the xsp:expr is not needed here.
Chris.
--
C h r i s t i a n H a u l
[EMAIL PROTECTED]
fingerprint: 99B0 1D9D 7919 644A 4837 7D73 FEF9 6856 335A 9E08
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html>
To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail: <[EMAIL PROTECTED]>
