[ic] SQL query as cgi par: strange behavior

Stefan Hornburg (Racke) racke at linuxia.de
Fri Dec 2 11:46:17 UTC 2011


On 12/02/2011 12:31 PM, Marco Mescoli wrote:
> --- query.html -------
> [query type=list sql="[cgi sql]"]
>    [list]<br />[sql-param sku][/list]
> [/query]
> ---------------------
> If in the cgi-par sql I put a query on products with the operator greater then, the char '>' all goes well insted if i put the char'<' (less than) it is replaced with its html entity name so the query dosen't run.
>
> Do you know why  ?
>
> Thanks to the list
>

1. You have to be extremely careful with using CGI parameters directly inside queries.
2. I guess the following prevents mangling of <

[query type=list sql=`$CGI->{sql}`]
     [list]<br />[sql-param sku][/list]
[/query]

Regards
         Racke

-- 
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team




More information about the interchange-users mailing list