On Mon, Jan 16, 2012 at 1:58 AM, <[email protected]> wrote:
>
> Passing variblles into [% ... %] is a on going problem for me.
>
> a keyone is
>
> [% pagecode = data.page_name %] *picked up from the url*
> [% sitename = data.sitename %]
> [% FOREACH link = DBI.query("SELECT * FROM page_tb
> WHERE (status = 2 AND
> page_code = "$pagecode" AND
>
I'd be more worried about SQL injection attacks.
Move that code out of the Template and into a module, and always use bind
parameters.
--
Bill Moseley
[email protected]
_______________________________________________
templates mailing list
[email protected]
http://mail.template-toolkit.org/mailman/listinfo/templates
