On Mon, Jan 16, 2012 at 11:54 AM, <[email protected]> wrote:
> > On Mon, Jan 16, 2012 at 1:58 AM, <[email protected]> > wrote: > > > >> Passing variblles into [% ... %] is a on going problem for me. > >> > >> a keyone is > >> > >> [% pagecode = data.page_name %] *picked up from the url* > >> [% sitename = data.sitename %] > >> [% FOREACH link = DBI.query("SELECT * FROM page_tb > >> WHERE (status = 2 AND > >> page_code = "$pagecode" AND > >> > > > > I'd be more worried about SQL injection attacks. > > > > Please explain how this could happen from the url &page=foo For example, this query string: &page=foo%22+OR+1+%3D+1+OR+1+%3D+%22&site=bar would result in the following SQL: SELECT * FROM page_tb WHERE (status = 2 AND page_code = "foo" OR 1 = 1 OR 1 = "" AND sitename = "bar" ) ORDER BY sitename which would return every row in the table. Ronald
_______________________________________________ templates mailing list [email protected] http://mail.template-toolkit.org/mailman/listinfo/templates
