Lars Huttar wrote: > HOWEVER... > if the request parameter is not to be used as a literal value > but as a table or column name, <esql:parameter> doesn't > work. E.g. in > SELECT count(*) TOTAL FROM <xsp-request:get-parameter name="table"/> > where <xsp-request:get-parameter name="column" /> is not null > > If I try to wrap the above <xsp-request:get-parameter> elements > with <esql:parameter> elements, the query fails. > If I treat the table parameter that way, I get an "invalid table name" > error. If I do that to the column parameter, the Select selects all > rows. > In other words, it's acting as though the table name or column name > were put in quotes. > > SO... > Given that the table name and column name could be vulnerable > to URL exploits, how do I protect them in esql? > Any suggestions?
Do you really want users to be able to access any table? I suggest probably not. You could use a Selector to check that the "table" parameter falls into a set of allowed values. http://cocoon.apache.org/2.1/userdocs/selectors/requestparameter-selector.ht ml Or the WildcardRequestParameterMatcher which would allow you specify the list of tables as a single regular expression I believe (though I've not done this myself). http://cocoon.apache.org/2.1/userdocs/concepts/matchers_selectors.html#Using +Matchers --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
