On Apr 2, 10:01 am, andreas.kretsch...@xxxxxxxxxxxxxx ("A.
Kretschmer") wrote:
> In response to linnewbie :
>
>
>
> > I am using tcl ( ncgi and tclobdc ) so it is more like the excerpts
> > below:
>
> > ie I input:
>
> > <h1>Hello World </h1>
>
> > <p>xyz <p/>
> > .........
>
> > into the text area field, save:
>
> > set page_content [ ncgi::value textarea_field_name]
>
> > database connect dbh $datasource $dbuser $dbpassword
>
> > set sql "INSERT INTO profile (page_content) \
> > VALUES('$page_content') "
>
> That is a security hole for sql-injection.
This database user only has select,insert,update privileges on this
table and these are internal users (administrators) so I'm not sure
how much trouble they can make.
Is there another way to have users update content that is really
really complex html, nested <ul> with <span>s with spacial classes
etc?
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
