[ic] Search out from a form

John Young [email protected]
Wed Jul 2 15:29:00 EDT 2003


Peter wrote:

> You could try
> 
>           [query
>             sql="select * from products where (sku like '%[cgi 
> mv_searchspec]%'
>                 or description like '%[cgi mv_searchspec]%'
>                 or prod_group like '%[cgi mv_searchspec]%'
>                 or category like '%[cgi mv_searchspec]%')
>                 and not product_filter = 'b2b'
>                 order by category"
>             type=list
>             list=1
>             st=db
>           ]
>           [list]
>             [sql-param first_column], [sql-param second_column], 
> [sql-param etc_column] <br>
>           [/list]
>           [/query]


If you do something like the above, be sure to filter the CGI
values.  Otherwise, you are open to SQL-injection attacks.

John Young




More information about the interchange-users mailing list