Antonio Gallardo Rivera wrote:
Just a question. Please dont take it wrong
Can you send a "DROP TABLE mytable" in the following example of a XSP page? I am using mod-db stuff too.
I do not see a possibility of the aforementioned "DROP TABLE" exploit in this case. The only "unverified" data here is "id" and it is making its way into the query via two mechanisms that would ensure its safety:
1) Integer.parseInt() 2) PreparedStatement.setInt() that is generated by <esql:parameter> element. I say, you're safe here. -- Ilya
<esql:execute-query>
<esql:query>
SELECT * FROM mytable
WHERE mytable_id=
<esql:parameter type="int">
<xsp:expr>
Integer.parseInt(
<xsp-request:get-parameter name="id" default="0"/>
)
</xsp:expr>
</esql:parameter>
</esql:query>
</esql:execute-query>
Antonio Gallardo
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
