> On Mon, Jan 16, 2012 at 1:58 AM, <[email protected]> wrote: > >> >> Passing variblles into [% ... %] is a on going problem for me. >> >> a keyone is >> >> [% pagecode = data.page_name %] *picked up from the url* >> [% sitename = data.sitename %] >> [% FOREACH link = DBI.query("SELECT * FROM page_tb >> WHERE (status = 2 AND >> page_code = "$pagecode" AND >> > > I'd be more worried about SQL injection attacks. >
Please explain how this could happen from the url &page=foo. > > Move that code out of the Template and into a module, and always use bind > parameters. > Can you give me a quick example. Currently I am coding each quire in separate pagenameqsl.ttml. Conditional statement select which ttml to call to populate the variables for rendering. Creating a module that I pass info to would be better. Thanks Shanta _______________________________________________ templates mailing list [email protected] http://mail.template-toolkit.org/mailman/listinfo/templates
