On 06.Dec.2002 -- 03:47 PM, Scherler, Thorsten wrote: > Sorry, that is much better (use <xsp:expr/>): > > select * From AllTask Where wfID=<xsp:expr><xsp-request:get-parameter >name="myID"/></xsp:expr>
Please imagine what happens if myID evaluates to "; update AllTasks set done = 1; --" IOW you should use <esql:parameter/> around it to have esql use a PreparedStatement. BTW the xsp:expr is not needed here. Chris. -- C h r i s t i a n H a u l [EMAIL PROTECTED] fingerprint: 99B0 1D9D 7919 644A 4837 7D73 FEF9 6856 335A 9E08 --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>