Michael A. Patton wrote:
> <if variable="form.id">
> <if expr='STRING(INT("&form.id:mysql;")) == "&form.id:mysql;"'>
As you already suspected :mysql encoding is wrong here.
I'd say you'd need &form.id:pike; instead (for both).
> <set variable="var.title"><trim><sqltable query='
> select prefix, title from item where id="&form.id:mysql;"
> ' ascii='yes' /></trim></set>
Several remarks:
a. Using sqltable/ascii nested in a trim is awkward and inefficient.
b. Using " string delimiters in SQL is non-standard SQL and could result
in security issues in the future if your SQL server is MySQL.
c. Not using bindings in the query is needlessly inefficient and increases
the chance for new security leaks for no good reason.
d. Why not add a LIMIT 1 to the SQL query to help the database evaluator?
Why not use something more straightforward/efficient/secure like this:
<emit source="sql" query="
SELECT prefix, title
FROM item
WHERE id=:id
LIMIT 1"
bindings="id=form.id">
<set variable="var.title" value="&_.prefix; &_.title;" />
</emit>
<else>
No entry found
</else>
>is ":mysql" the right thing for those first references? Is the expr arg
>just being passed to the pike evaluator? Maybe that means ":pike" would
Well, not "just", it's filtered for valid function calls, but other than
that, it is indeed being passed down to the pike evaluator.
--
Stephen.
