Forum OpenACS Q&A: Re: Res: Re: Res: Re: Using list-builder and pagination

Collapse
Posted by Brian Fenton on
Hi Lear,

I don't think it's a good idea to be passing in your SQL query as a parameter to the page - you're leaving yourself open to potential SQL Injection attacks.

Also I don't think you need the "request create" - just use ad_page_contract to handle any form variables.

Brian

How I do that? Do you have any documentation or example script on this matter. I have this script with elements form that a I enter by keyboard but when I excecute the submit instruccion, runs the select query on the list array for the first page but when I past to the next page=2 I lost the information...
Sure, there are loads of examples in the OpenACS codebase. Try this one for starters: http://cvs.openacs.org/cvs/*checkout*/openacs-4/packages/dotlrn-ecommerce/lib/tree-chunk.tcl?rev=1.2
I don't think it's a good idea to be passing in your SQL query as a parameter to the page - you're leaving yourself open to potential SQL Injection attacks.

Also I don't think you need the "request create" - just use ad_page_contract to handle any form variables.

How I use ad_page_contract to do this, handle any form variables from another script passed

How I use ad_page_contract to do this, handle any form variables from another script passed
Have you seen the acs-templating demo?
http://openacs.org/doc/acs-templating/demo/
Hi Brian, forgiveness for asking to much I´m trying to understand those templating demos but I barracks,

this is a portion of the script that pass parameters
index_lista.tcl

if {  [string equal $keyword {}] } {

  if {  ! [ string compare $sql1 "no"] } {

        set display "doc_list"
        set band4 "12"
        element set_error func_search error2_search " Por favor introduzca su busqueda"
        return
        } else {
# past of parameter to prueba_list_builder?
template::forward prueba_list_builder?sql1=$sql1
}

This is the code for the prueba_list_builder

ad_page_contract {
} {
            {page:optional}
}

request create -params {
  sql1 -datatype text -optional
}

if { ! [request is_valid] } { return }

set sql1 $sql1

list::create -name users \
        -multirow users \
        -key num_sec \
        -pass_properties { sql1 } \
        -page_size 10 \
        -page_query { select num_sec from procadm.t_normas where $sql1} \
        -elements {
                  num_sec {
                        display_template {<table width="800" border="0" cellspacing="6" cellpadding="6"><tr><td width="2%" valign="top" align="center"><font face="Arial, Helvetica, sans-serif" color="#FF0000" size="3"><b><img src="puntero.gif" width="17" height="17"></b></font></td><td width="96%" valign="top" align="justify">@sql1@<br>@users.desc_norma@&nbsp;@users.num_norma@&nbsp;de&nbsp;@users.anio_gac@<br>Número de Gaeta:&nbsp;@users.num_gaceta@<br>Autoridad:&nbsp;@users.desc_autoridad@<br>Título:&nbsp;@users.titulo@</td></tr></table> }
            }
        }

  set query  "select a.num_sec num_sec, num_gaceta,to_char(fecha_gaceta,'yyyy') anio_gac, a.norma, desc_norma, num_norma, titulo, cod_autoridad,
desc_autoridad \
from procadm.t_normas a, procadm.t_tipo_norma b,procadm.t_autoridad c where $sql1 and \
a.norma=b.num_sec and
a.cod_autoridad=c.num_sec and
a.num_sec in ([template::list::page_get_ids -name users])"

db_multirow users users_query $query

the view showme the value of variable for the first page but when I past to the second the variable lost the value