[I'm responding to my original post because it's not really specific to
any of the other messages in the thread...they _all_ contributed, thanks.]
Here's my final solution. Additional comments are welcome. As a
preface, I think that when it comes to security a belt-and-suspenders
solution is always best, because in that case if one happens to fail the
other wil catch it. So, I fixed my original "test for valid integer"
from one suggestion, I liked the fact that it gave better error
reporting. I also went through and made all references to form
variables robust as another suggestion had it.
Here's the sample RXML from the top of one of the files:
<if variable="form.id">
<if expr='STRING(INT("&form.id:mysql;")) == "&form.id:mysql;"'>
<set variable="var.title"><trim><sqltable query='
select prefix, title from item where id="&form.id:mysql;"
' ascii='yes' /></trim></set>
<if sizeof="var.title > 0">
<page-title>Item: &var.title:none;</page-title>
</if>
<else>
<page-title>ERROR: No item with ID &form.id;</page-title>
<unset variable="form.id"/>
</if>
<else>
<page-title>ERROR: Non-numeric ID!</page-title>
<unset variable="form.id"/>
</else>
</if>
<else>
<page-title>Item lookup</page-title>
</else>
In my standard style, it exhaustively checks all the possibilities (all
if's have an else). But I realize there's one final question which is,
is ":mysql" the right thing for those first references? Is the expr arg
just being passed to the pike evaluator? Maybe that means ":pike" would
be more appropriate. The referenced doc page says what characters get
quoted, but not how, which might matter.
___
/| /| /| \ Michael A. Patton, President [email protected]
/ | / | /_|__/ MAP Network Engineering http://MAP-NE.com
/ |/ |/ | Network Infrastructure design: Routing, DNS, more
