Hi,
you should not do INSERT in that way.. It's a way to SQL Injection attacks.
Every parameter which can be changed by user or a hacker should be checked and rechecked.
So, do insert like this in ESQL+XSP:
<esql:query>
INSERT INTO tablename (field1, field2) VALUES (
<esql:parameter type="string"><xsp:expr>value1</xsp:expr></esql:parameter>,
<esql:parameter type="string"><xsp:expr>value2</xsp:expr></esql:parameter>)
</esql:query>
Check from cocoon site about esql and parameter element for more information.
HTH, Joose
22.7.2004 kello 11:28, milkwaybridge kirjoitti:
There are some input areas in the page, users input will be saved in the database.
I use CForm and ESQL, turned out that user cannot input character ' , because ESQL use it to quote values
<esql:query> insert into�tablename (field1, field2) values ('value1','value2')�</esql:query>
now I don't know what to do
Thanks for your help!!!!!!!!!
-- "Always remember that you are unique, just like everyone else!" * http://iki.fi/joose/ * [EMAIL PROTECTED] * +358 44 561 0270 *
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
