[ic] SQL query as cgi par: strange behavior
Stefan Hornburg (Racke)
racke at linuxia.de
Fri Dec 2 11:46:17 UTC 2011
On 12/02/2011 12:31 PM, Marco Mescoli wrote:
> --- query.html -------
> [query type=list sql="[cgi sql]"]
> [list]<br />[sql-param sku][/list]
> [/query]
> ---------------------
> If in the cgi-par sql I put a query on products with the operator greater then, the char '>' all goes well insted if i put the char'<' (less than) it is replaced with its html entity name so the query dosen't run.
>
> Do you know why ?
>
> Thanks to the list
>
1. You have to be extremely careful with using CGI parameters directly inside queries.
2. I guess the following prevents mangling of <
[query type=list sql=`$CGI->{sql}`]
[list]<br />[sql-param sku][/list]
[/query]
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list