[ic] A link from DB

Mike Heins mike at perusion.com
Thu Jul 29 11:31:18 EDT 2004


Quoting Daniel Davenport (ddavenport at newagedigital.com):
> > -----Original Message-----
> > From: interchange-users-bounces at icdevgroup.org
> > [mailto:interchange-users-bounces at icdevgroup.org]On Behalf Of Jon
> > Sent: Tuesday, July 27, 2004 10:16 PM
> > To: interchange-users at icdevgroup.org
> > Subject: [ic] A link from DB
> >
> > I'm trying to create a hyperlink from with in a field in the DB so when
> > one item is displayed via flypage.html there is a link to another item.
> > I've tried various variations of 'area' and 'page' tags with/with out
> > interpolate but it always seems to display the IC tag and not the link.
> > I've read there is a security issue with creating links out of a DB,
> > but didn't see if that applied to a specific release
> > of IC or all IC releases ?
> 
> It applies to any system which can execute code.  What you're trying to do
> is a really bad idea--if you could use an [area] or [page] tag, then
> potentially any ITL code could be run, including stuff like [data userdb
> password insert_user_id_here].  As of yet, i don't believe there's a way to
> only interpolate this tag and that tag, and escape all the others.

Actually, there is:

    [pragma safe_data]
    [restrict allow="page area value" interpolate=1]
	    [item-description comment]
    [/restrict]

But...

> 
> If you wanted to, you could have a related_sku or other such field in the
> products table, and instead of trying to put the tag in there, have some
> code like
> 
> [if-item-field related_sku]
>  [page [item-field related_sku]][description [item-field related_sku]]</a>
> [/if-item-field]

This is by far the best way to do it. 

-- 
Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Being against torture ought to be sort of a bipartisan thing.
-- Karl Lehenbauer


More information about the interchange-users mailing list