[ic] Writing informaton to database

[Steven Potter]

Kevin Walsh wrote:

>>I would like to write some of the users order information to a different
>>table in the database for statistical use.  What is the best way to
>>approch this?  I know I could do it with a [query sql=insert into ....]
>>but that doesn't strike me as very secure.  What other methods would you
>>suggest?  I searched the archives and didn't find anything, but if you
>>know of a thread, point me there.
>>
>>
> Although I don't understand your security concern with [query] and SQL,
> I would suggest you edit the catalogue's etc/log_transaction file.
> Copy the existing method of writing to the transactions table, but use
> your own table name and contents.
> 
> 

The security concern with [query] is that if I had a statement like the 
following:

[query sql=INSERT INTO table VALUES('[first_name]',.....]

What if the user was to enter something like this into the first_name field:

; DELETE FROM table WHERE 1=1;

That could cause some serious problems...

Thanks for pointing me to the etc/log_transaction file.

Steven Potter