Joose Vettenranta wrote:
This is bad query.
better is to use tools we have.. So query should be written like this:
<esql:query>
SELECT rub_position FROM m_rub_player_ope WHERE player_url_name = <esql:parameter type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter> ORDER BY rub_position LIMIT 1
</esql:query>
Now it is escaped and prevents sql-injection what the original query did not do.
HTH,
Joose
18.5.2004 kello 10:49, Olivier Billard kirjoitti:
Hi homonym,
This solution works "if it works" !
But if the first query fails, you'll get an unexpected result for the second query if maxpos is not initialized...
Remember that queries can be embedded in each other :
sql = "SELECT rub_position FROM m_rub_player_ope WHERE player_url_name = '"+player_url_name+"' ORDER BY rub_position LIMIT 1";
<esql:connection>
<esql:pool>my_pool</esql:pool>
<esql:execute-query>
<esql:query><xsp:expr>sql</xsp:expr></esql:query>
<esql:results>
<esql:row-results>
<xsp:logic>
maxpos = <esql:get-int column="rub_position"/>;
maxpos = maxpos + 10;
<esql:execute-query>
<esql:query>
INSERT INTO m_rub_player_ope (rub_id,player_url_name,ope_url_name,rub_display,rub_position)
VALUES (
<esql:parameter type="string"><xsp:expr>rub_id</xsp:expr></esql:parameter>,
<esql:parameter type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter>,
<esql:parameter type="string"><xsp:expr>ope_url_name</xsp:expr></esql:parameter>,
<esql:parameter type="string">oui</esql:parameter>,
'<xsp:expr>maxpos</xsp:expr>');
</esql:query>
<esql:error-results><message>Error during Insert</message></esql:error-results>
<esql:update-results>
<esql:get-update-count/><message continuer="do-list-rub.html">Your record is adding ya can click on </message>
</esql:update-results>
</esql:execute-query>
</xsp:logic> </esql:row-results> </esql:results> </esql:execute-query> <esql:error-results> // deal with errors here </esql:error-results> </esql:connection>
HTH, -- Olivier Billard
olivier demah wrote:
olivier demah a e'crit :
Hi,
i would like to know if i can store the result of an ESQL query in a variable to be reused in another ESQL query later in the same XSP ?
regards
here is the solution :
sql = "SELECT rub_position FROM m_rub_player_ope WHERE player_url_name = '"+player_url_name+"' ORDER BY rub_position LIMIT 1";
<esql:connection>
<esql:pool>my_pool</esql:pool>
<esql:execute-query>
<esql:query><xsp:expr>sql</xsp:expr></esql:query>
<esql:results>
<esql:row-results>
<xsp:logic>
maxpos = <esql:get-int column="rub_position"/>;
maxpos = maxpos + 10;
</xsp:logic>
</esql:row-results>
</esql:results>
</esql:execute-query>
<esql:execute-query>
<esql:query>
INSERT INTO m_rub_player_ope (rub_id,player_url_name,ope_url_name,rub_display,rub_position)
VALUES (
<esql:parameter type="string"><xsp:expr>rub_id</xsp:expr></esql:parameter>,
<esql:parameter type="string"><xsp:expr>player_url_name</xsp:expr></esql:parameter>,
<esql:parameter type="string"><xsp:expr>ope_url_name</xsp:expr></esql:parameter>,
<esql:parameter type="string">oui</esql:parameter>,
'<xsp:expr>maxpos</xsp:expr>');
</esql:query>
<esql:error-results><message>Error during Insert</message></esql:error-results>
<esql:update-results>
<esql:get-update-count/><message continuer="do-list-rub.html">Your record is adding ya can click on </message>
</esql:update-results>
</esql:execute-query>
</esql:connection>
thanks to steve_k on [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- "Always remember that you are unique, just like everyone else!" * http://iki.fi/joose/ * [EMAIL PROTECTED] * +358 44 561 0270 *
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
