[ic] lookup_query in table editor
Jon Jensen
jon at endpoint.com
Tue Apr 13 15:28:18 UTC 2021
On Mon, 12 Apr 2021, Scott Andreas wrote:
> I've even tried using: lookup_query.category=`select distinct category from
> products_codes where owner='$Session->{username}'`
>
> If I try lookup_query.category=`select distinct category from
> products_codes where owner='bob'`
> the list populates
The `...` quoting style is for Perl code snippets, so shouldn't have
unquoted regular strings and code mixed.
You could try:
lookup_query.category="select distinct category from products_codes where owner='[data session username]'"
If you do that, make sure you can't ever have a valid username with a ' in
it or you'll have an SQL injection vulnerability there.
It shouldn't be vulnerable to direct query or form injection since the
session username is vetted first, but if a user can create a username with
a ' then you've got a problem.
Jon
--
Jon Jensen
End Point Corporation
https://www.endpoint.com/
More information about the interchange-users
mailing list