On Apr 2, 11:06 am, linnewbie <linnew...@xxxxxxxxx> wrote:
> On Apr 2, 10:01 am, andreas.kretsch...@xxxxxxxxxxxxxx ("A.
>
>
>
> Kretschmer") wrote:
> > In response to linnewbie :
>
> > > I am using tcl ( ncgi and tclobdc ) so it is more like the excerpts
> > > below:
>
> > > ie I input:
>
> > > <h1>Hello World </h1>
>
> > > <p>xyz <p/>
> > > .........
>
> > > into the text area field, save:
>
> > > set page_content [ ncgi::value textarea_field_name]
>
> > > database connect dbh $datasource $dbuser $dbpassword
>
> > > set sql "INSERT INTO profile (page_content) \
> > > VALUES('$page_content') "
>
> > That is a security hole for sql-injection.
>
> This database user only has select,insert,update privileges on this
> table and these are internal users (administrators) so I'm not sure
> how much trouble they can make.
>
> Is there another way to have users update content that is really
> really complex html, nested <ul> with <span>s with spacial classes
> etc?
This is a tcl thing though.
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
