[ic] complex sql query in a scan link

Kevin Walsh interchange-users@icdevgroup.org
Wed Oct 2 18:54:00 2002


Chen Naor [chen@lilux.co.il] wrote:
> 
> Is it posible to make a complex sql query in a scan link ? (I need to query
> from 2 diferent tables)
> for example:
> <a href="[area href=scan
>         arg=|
>         st=sql
>         sq=select distinct products.* from products,prod_tech  where
> products.sku=prod_tech.sku and products.category='BOGI' and
> (products.countries like '%ZZ%' or products.countries like 'E %') and
> prod_tech.tech1='big' order by products.sort
>         sp=results_bo_p3
>         ml=6
>             |]">show</a>
> 
> The query is working fine in pgsql.
> 
No, it is not.

Instead, create a link like the following:

    <a href="[area href=querypage form=|
        category=whatever
        anotherarg=something
        foo=bar
    |]">show</a>

Then create a "querypage.html" that includes a [query] tag and uses
the various URI arguments passed, such as [cgi category], in the
creation of its SQL query.

The scan's 'sq' parameter makes use of the SQL::Statement module,
which is not a full SQL parser and works on a pre-selected resultset.
If Interchange extracted arbitrary SQL statements from the URI and
passed them directly to your database server, the security of your
data would be at risk.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.biz
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/