On 11.Nov.2002 -- 03:29 PM, Christian Joelly wrote:
> Hello!
>
> On Mon, Nov 11, 2002 at 11:17:15AM +0100, Christian Haul wrote:
> > On 07.Nov.2002 -- 09:44 AM, Christian Joelly wrote:
> > >
> > > thanks for your answer. I'd prefer to use the version 2.0.1 for this
> > > application, because maybe there are some other problems rising when i
> > > switch the cocoon version during development... ;-)
> >
> > Fair enough. OTOH many issues have been resolved. There should be no
> > change in the user visible interface apart from stuff in scratchpad.
>
> i'm now working to integrate cocoon 2.0.3 with my application, but i see
> there are some issues that are strange:
>
> i wrote lots of sql queries in the following manner:
> (as i usual did with other frameworks or dev tools)
>
> <xsp:logic>
> sQuery = "
> SELECT DISTINCT
> nUserID,
> sUserName
> FROM
> users";
>
> if (sNachname != null) {
> sQuery =+ "
> WHERE
> sNachname LIKE \"" + sNachname + "%\";
> }
>
> <!-- lots of other tests go here... -->
>
> </xsp:logic>
Right, this appears to be a bug in Xalan, see
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=8734
If you don't use the same type of quotes inside the string it is OK
IIRC. The other option is to use search and replace all \" with '
s/\\"/'/g
Please be aware that the above code may allow a user to substitute
sNachname with a string like '"; close database; drop database somedb;'
what is probably not intended. Consider using prepared statements like
<esql:query>select distinct nUserID, sUserName from users where
sNachname like <esql:parameter><xsp:expr>sNachname+"%"</xsp:expr></esql:parameter>
Chris.
--
C h r i s t i a n H a u l
[EMAIL PROTECTED]
fingerprint: 99B0 1D9D 7919 644A 4837 7D73 FEF9 6856 335A 9E08
---------------------------------------------------------------------
Please check that your question has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html>
To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail: <[EMAIL PROTECTED]>
