action_parameters not available within inline loop?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

action_parameters not available within inline loop?

Todd Vainisi-2
Hey List,

I have this on my page:

[

action_param('totalseats_1');

var('sql_courses')="Select * from courses";
inline(-database="ae", -sql=$sql_courses);
  action_param('totalseats_1');
/inline;

]

The first action_param gives output.  The one inside the inline wrapper does not.  Why?

Todd V



#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: action_parameters not available within inline loop?

Jonathan Guthrie-3
Hi Todd,

Action_params cannot be used inside inlines - you will need to set the action_param to a variable outside th einline in order for it to be used inside.

local('totalseats_1' = action_param('totalseats_1'));

var('sql_courses')="Select * from courses";
inline(-database="ae", -sql=$sql_courses);
    #totalseats_1
/inline;



On 2011-08-22, at 11:51 AM, Todd Vainisi wrote:

> Hey List,
>
> I have this on my page:
>
> [
>
> action_param('totalseats_1');
>
> var('sql_courses')="Select * from courses";
> inline(-database="ae", -sql=$sql_courses);
>  action_param('totalseats_1');
> /inline;
>
> ]
>
> The first action_param gives output.  The one inside the inline wrapper does not.  Why?
>
> Todd V

Jono

----------------------------
Jonathan Guthrie
[hidden email]
LassoSoft Inc.

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: action_parameters not available within inline loop?

Jolle Carlestam-3
In reply to this post by Todd Vainisi-2
PRTGM *





* Please Read The Great Manual

"If these tags are used within an [Inline] ... [/Inline] container tag they return information about the action specified in the opening [Inline] tag. Otherwise, these tags return information about the action which resulted in the current Lasso page being served."

If you want access to action_params inside an inline set the content of the action param to a var on top of the page or use any of the client_param tags found at tagswap. I use lp_client_param for example.

HDB
Jolle


22 aug 2011 kl. 17.51 skrev Todd Vainisi:

> Hey List,
>
> I have this on my page:
>
> [
>
> action_param('totalseats_1');
>
> var('sql_courses')="Select * from courses";
> inline(-database="ae", -sql=$sql_courses);
>  action_param('totalseats_1');
> /inline;
>
> ]
>
> The first action_param gives output.  The one inside the inline wrapper does not.  Why?
>
> Todd V


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: action_parameters not available within inline loop?

French, Shelane
I always set the parameters to a variable map to refer to later. I use
search_arguments so that session information, tokens, or other command
parameters aren't saved.

Var('_userparams' = map);

search_arguments;
        $_userparams->insert(search_fielditem = search_valueitem);
/search_arguments;


//when I need to know totalseats_1 I pull it from the map:
$_userparams->find('totalseats_1');



On 8/22/11 8:58 AM, "Jolle Carlestam" <[hidden email]> wrote:

>PRTGM *
>
>
>
>
>
>* Please Read The Great Manual
>
>"If these tags are used within an [Inline] ... [/Inline] container tag
>they return information about the action specified in the opening
>[Inline] tag. Otherwise, these tags return information about the action
>which resulted in the current Lasso page being served."
>
>If you want access to action_params inside an inline set the content of
>the action param to a var on top of the page or use any of the
>client_param tags found at tagswap. I use lp_client_param for example.
>
>HDB
>Jolle
>
>
>22 aug 2011 kl. 17.51 skrev Todd Vainisi:
>
>> Hey List,
>>
>> I have this on my page:
>>
>> [
>>
>> action_param('totalseats_1');
>>
>> var('sql_courses')="Select * from courses";
>> inline(-database="ae", -sql=$sql_courses);
>>  action_param('totalseats_1');
>> /inline;
>>
>> ]
>>
>> The first action_param gives output.  The one inside the inline wrapper
>>does not.  Why?
>>
>> Todd V
>
>
>#############################################################
>This message is sent to you because you are subscribed to
>  the mailing list Lasso
>[hidden email]
>To unsubscribe, E-mail to: <[hidden email]>
>Send administrative queries to  <[hidden email]>

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: action_parameters not available within inline loop?

Steve Upton
At 9:17 AM -0700 8/22/11, French, Shelane wrote:
>I always set the parameters to a variable map to refer to later. I use
>search_arguments so that session information, tokens, or other command
>parameters aren't saved.

this is a great time to also encode any incoming parameters against SQL injection trash.

Injection seems to be one of the most common security flaws of web sites these days and cleaning all incoming strings consistently is a fairly simple guard against it.

regards,

Steve Upton

--

#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

RE: action_parameters not available within inline loop?

Rick Draper-2
> this is a great time to also encode any incoming parameters against SQL injection trash.
> Steve Upton

Indeed - a most important point!!!

Apart from var('totalseats_1') = encode_sql(action_param('totalseats_1'))... it is always advisable to validate the input is as it should be and potentially log / alert / deter anyone doing the unexpected (i.e. unexpected by you).  A lot depends on how exposed things are to the outside world and whether there is a pool of internal sources of threat you need to "accommodate".

Jono's article from a couple of weeks back is certainly worth a read... http://www.lassosoft.com/Understanding-and-Overcoming-SQL-Injection

very best regards,

Rick


#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: action_parameters not available within inline loop?

Bil Corry-3
Rick Draper wrote on 8/22/2011 2:46 PM:
>> this is a great time to also encode any incoming parameters against SQL injection trash.
>> Steve Upton
>
> Indeed - a most important point!!!

My recommendation is to do the SQL encoding at the point in your code where the SQL query is at.  That will keep it consistent throughout your application and less likely to be overlooked.  Otherwise, if you SQL encode the user input, but another developer needs to use it elsewhere, they may unencode it to make it work.

The better way is to use Prepared Statements, no SQL encoding needed and fully protects against SQL injection.  I mention it briefly in my LDC 2008 paper with a small example (which has a lot of security advice in it).  The LDC 2008 paper is included with the 2008 Summit materials:

        http://www.lassosoft.com/Lasso-Developer-Conference-and-Summit-Materials


> Apart from var('totalseats_1') = encode_sql(action_param('totalseats_1'))... it is always advisable to validate the input is as it should be and potentially log / alert / deter anyone doing the unexpected (i.e. unexpected by you).  A lot depends on how exposed things are to the outside world and whether there is a pool of internal sources of threat you need to "accommodate".
>
> Jono's article from a couple of weeks back is certainly worth a read... http://www.lassosoft.com/Understanding-and-Overcoming-SQL-Injection

There's also mine from 2004, doesn't cover Prepared Statements, but does cover SQL encoding of various data types:

        http://tagswap.net/articles/SQL_Injection/


- Bil
#############################################################
This message is sent to you because you are subscribed to
  the mailing list Lasso
[hidden email]
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>