Interchange has a [filter] tag that, given the type of filter as an argument, can do what you want. In your case, you're interested in the 'sql' filter: [filter op=sql interpolate=1][cgi my_raw_form_data][/filter] There are numerous other useful filters for all manner of data transformation in addition to this one. A word of caution on the sql filter in 4.9. Your version escapes by the SQL-standard of doubling up single quotes. Unfortunately, databases such as MySQL and Postgres also allow backslash escaping, which means it's still possible to produce SQL injections using a combination of single quotes and backslashes. The current IC uses the native DBI quote method so that escapes for a particular database are handled properly according to its particular DBD.Later versions of the [query] tag have a [sql-quote] "subtag" that will do a proper $db->quote() on the value: [query list=1 sql=| SELECT code FROM products WHERE sku = [sql-quote][cgi sku][/sql-quote] | ] ... [/quote] That will work for INSERT and DELETE (etc.) too, of course, and will avoid the need for [filter]. It also neatly side-steps any potential security issues. I suggest an upgrade from 4.9 (development) to 5.4 (stable), which will provide you with this facility, and lots of other goodies. On the other hand, any competent Interchange consultant will be able to back-port this facility into 4.9.
Thank you very much to both of you for the information. This leads me to some other questions. I've been away from Interchange for 2.5 years, and I was never an Interchange whiz to begin with. I have found the documentation somewhat confusing as well. So, I could use any additional help to avoid injection attacks. What is my best bet to do quickly before I go through the upgrade process? Upgrading could be very tough because it is a customized admin tool and probably customized old IC tags as well. Also, Are there any known security issues with Interchange 4.9.5. Some of our old tags are actually residuals from 4.8.6! Finally, I may then be looking for consultants if I make this upgrade. I'm guessing from your signatures that you may both be in the business. Feel free to recommend consultants by sending me an e-mail directly. Thanks again. Andy _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.