On Wed, 21 Feb 2007 11:55:51 +0100, Torsten Curdt <[EMAIL PROTECTED]>
wrote:
On 21.02.2007, at 11:43, Gajo Csaba wrote:
Hello,
Is there a way for me to execute a prepared SQL statement? For example,
something like:
<esql:query>UPDATE User SET display_name=? WHERE ID=?</esql:query>
It would be quite a security risk if I just used the user-submitted
data instead of the ? here. Any way to do this?
ESQL always uses prepared statement (also because of that).
Have a look at <esql:parameter> (IIRC - boy it has been a while)
cheers
--
Torsten
Seems to work, thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
