| From: | linnewbie <linnewbie(at)gmail(dot)com> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: Posgres Adding braces at beginning and end of text (html) content |
| Date: | 2009-04-02 15:06:36 |
| Message-ID: | 54d2c2b3-487c-48a1-9bfb-a1d79a904721@l22g2000vba.googlegroups.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
On Apr 2, 10:01 am, andreas(dot)kretsch(dot)(dot)(dot)(at)schollglas(dot)com ("A.
Kretschmer") wrote:
> In response to linnewbie :
>
>
>
> > I am using tcl ( ncgi and tclobdc ) so it is more like the excerpts
> > below:
>
> > ie I input:
>
> > <h1>Hello World </h1>
>
> > <p>xyz <p/>
> > .........
>
> > into the text area field, save:
>
> > set page_content [ ncgi::value textarea_field_name]
>
> > database connect dbh $datasource $dbuser $dbpassword
>
> > set sql "INSERT INTO profile (page_content) \
> > VALUES('$page_content') "
>
> That is a security hole for sql-injection.
This database user only has select,insert,update privileges on this
table and these are internal users (administrators) so I'm not sure
how much trouble they can make.
Is there another way to have users update content that is really
really complex html, nested <ul> with <span>s with spacial classes
etc?
| From | Date | Subject | |
|---|---|---|---|
| Next Message | SHARMILA JOTHIRAJAH | 2009-04-02 15:38:25 | Re: How to find the query completeion time? |
| Previous Message | Steve Clark | 2009-04-02 15:02:46 | cast needed - but where and why? |