On 21.02.2007, at 11:43, Gajo Csaba wrote:
Hello,
Is there a way for me to execute a prepared SQL statement? For
example, something like:
<esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
It would be quite a security risk if I just used the user-submitted
data instead of the ? here. Any way to do this?
ESQL always uses prepared statement (also because of that).
Have a look at <esql:parameter> (IIRC - boy it has been a while)
cheers
--
Torsten
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
