diff options
| author | Eugeniy E. Mikhailov <evgmik@gmail.com> | 2022-09-27 00:06:26 -0400 |
|---|---|---|
| committer | Eugeniy E. Mikhailov <evgmik@gmail.com> | 2022-09-27 00:06:26 -0400 |
| commit | ab7688a44cf972401d4420a515aef4d03f2122ed (patch) | |
| tree | 140762f9362f45ba32cebe8165cc56f567b271fe | |
| parent | f1c658425b34a5d4f9c9e4554300fa9b217f3545 (diff) | |
| download | GradeBook-ab7688a44cf972401d4420a515aef4d03f2122ed.tar.gz GradeBook-ab7688a44cf972401d4420a515aef4d03f2122ed.zip | |
AddColumnNonWeb protected against SQL injection
| -rwxr-xr-x | GradeBook_lib.tcl | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl index f2499cc..914370f 100755 --- a/GradeBook_lib.tcl +++ b/GradeBook_lib.tcl @@ -641,7 +641,7 @@ proc ColName2SqlSafeForm {colname} { } proc AddUserNonWeb { first_name last_name user_name {group_name {guest}} {id_number {}} {section_num {} } } { - set eval_str [concat INSERT INTO GradesTable (FirstName, LastName, UserName, GroupName, IdNum, SectionNum) VALUES('$first_name', '$last_name', '$user_name', '$group_name', '$id_number', '$section_num')] + set eval_str [concat INSERT INTO GradesTable (FirstName, LastName, UserName, GroupName, IdNum, SectionNum) VALUES(:first_name, :last_name, :user_name, :group_name, :id_number, :section_num)] set err [catch {db eval $eval_str } errStat] if { $err } { htmlErrorMsg $errStat |