[ic] SQL Injection?
Jon Jensen
jon at endpoint.com
Fri Sep 19 17:26:42 UTC 2014
On Fri, 19 Sep 2014, Bob Puff wrote:
> What does the filter you posted above need to wrap around? Is that a
> generic statement that will apply to any field, or do I need to
> specifically call out a variable name?
I would go around any user-supplied data that is to be put into SQL, e.g.
off the top of my head:
[query sql="SELECT * FROM products WHERE title LIKE '[sql-filter sql][cgi search][/sql-filter]'"]
Jon
--
Jon Jensen
End Point Corporation
http://www.endpoint.com/
+1 507-399-0057
More information about the interchange-users
mailing list