<xsp:logic>
String paramopen = "<esql:parameter>"; // open esql parameter tag
String paramclose = "</esql:parameter>"; // close
This is a fundamental misconception. You cannot add unparsed tags.
XSP execution happens after the parsing process.
esql:parameter tag
String region = <xsp-request:get-parameter name="region"/>; String whereclause = new String();
if (region != null ) {
// if region defined in request parameters, include it in where clause
// but make the value a bound parameter
whereclause= " AND cr.region = " + paramopen + region + paramclose );
}
You are mixing things up. :) Better have a look into the examples.
What you want to do here is build the clause ...which has nothing to do with esql! Drop the paramopen/close stuff and you are fine.
</xsp:logic>
<esql:connection>
<esql:pool>utadoci</esql:pool>
<esql:execute-query>
<esql:query>SELECT program.name, trip.title FROM trip, program, WHERE trip.program_id=program.program_id <xsp:expr>whereclause</xsp:expr>
</esql:query>
Although this is the right idea you'll get a SQL injection vulnerability.
Always(!!) use esql:parameter to insert dynamic values - or at least never pass request values directly.
The above will work but is NOT recommended!
Does anyone have any advice, or a basic plan for tackling this?
Hope I got you on the right track :)
cheers -- Torsten
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
