| From: | linnewbie <linnewbie(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Posgres Adding braces at beginning and end of text (html) content |
| Date: | 2009-04-02 15:42:02 |
| Message-ID: | 44ff36c9-2f27-4dcd-b6d8-933feaa67b7a@e12g2000vbe.googlegroups.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Apr 2, 11:06 am, linnewbie <linnew(dot)(dot)(dot)(at)gmail(dot)com> wrote:
> On Apr 2, 10:01 am, andreas(dot)kretsch(dot)(dot)(dot)(at)schollglas(dot)com ("A.
>
>
>
> Kretschmer") wrote:
> > In response to linnewbie :
>
> > > I am using tcl ( ncgi and tclobdc ) so it is more like the excerpts
> > > below:
>
> > > ie I input:
>
> > > <h1>Hello World </h1>
>
> > > <p>xyz <p/>
> > > .........
>
> > > into the text area field, save:
>
> > > set page_content [ ncgi::value textarea_field_name]
>
> > > database connect dbh $datasource $dbuser $dbpassword
>
> > > set sql "INSERT INTO profile (page_content) \
> > > VALUES('$page_content') "
>
> > That is a security hole for sql-injection.
>
> This database user only has select,insert,update privileges on this
> table and these are internal users (administrators) so I'm not sure
> how much trouble they can make.
>
> Is there another way to have users update content that is really
> really complex html, nested <ul> with <span>s with spacial classes
> etc?
This is a tcl thing though.
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tom Lane | 2009-04-02 15:52:09 | Re: cast needed - but where and why? |
| Previous Message | Kev | 2009-04-02 15:40:51 | indirect membership in group roles |