From: "Andy Wardley" <[EMAIL PROTECTED]> > BTW, you can also do it all-in-one using query() > > [% FOREACH customer = DBI.query( > 'SELECT * from customer ORDER BY ?', > baz > ) > %] > > Note that you should *ALWAYS* use ? placeholders. Do not be tempted to > interpolate user-supplied values into your queries.
What you say is correct, but wouldn't this quote automaticly the values that replace the placeholders? It does this when using DBI.pm but not TT. So order by 'column' won't work (at least under MySQL) but only order by column (without quotes). In that case, if TT doesn't replace the placeholders in a different way than DBI alone, I think the values should be inserted directly in the SQL query, after they are cleaned separately. It would be wonderful if TT could at least offer a method for making this cleaning for disallowing the special chars which are used for SQL injection. Octavian _______________________________________________ templates mailing list templates@template-toolkit.org http://mail.template-toolkit.org/mailman/listinfo/templates