screen potential sql injection in Authenticate_User proc

author: Eugeniy Mikhailov <evgmik@gmail.com> 2012-12-18 10:51:46 -0500
committer: Eugeniy Mikhailov <evgmik@gmail.com> 2012-12-18 10:51:46 -0500
commit: d1191c062e2c14b44c5bfe16dbd593ce6d400700 (patch)
tree: dab519269cecaf241d542735a4a7d3b0946b517c
parent: 38aa8e28b85a716c45dc23c7039067069ff75a5d (diff)
download: GradeBook-d1191c062e2c14b44c5bfe16dbd593ce6d400700.tar.gz
GradeBook-d1191c062e2c14b44c5bfe16dbd593ce6d400700.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl
index 4876c82..f379533 100755
--- a/GradeBook_lib.tcl
+++ b/GradeBook_lib.tcl
@@ -1868,7 +1868,7 @@ proc Authenticate_User { user_requested password } {
 		return __non_existing_user__
 	}
 
-	set eval_str [list SELECT UserName FROM PasswordsTable WHERE UserName='$user_requested' AND PasswordHash='$PasswordHash']
+	set eval_str [list SELECT UserName FROM PasswordsTable WHERE UserName=:user_requested AND PasswordHash=:PasswordHash]
 	set err [catch {
 		pdb eval $eval_str valid_user_name_array {}
 	} errStat ]
author	Eugeniy Mikhailov <evgmik@gmail.com>	2012-12-18 10:51:46 -0500
committer	Eugeniy Mikhailov <evgmik@gmail.com>	2012-12-18 10:51:46 -0500
commit	d1191c062e2c14b44c5bfe16dbd593ce6d400700 (patch)
tree	dab519269cecaf241d542735a4a7d3b0946b517c
parent	38aa8e28b85a716c45dc23c7039067069ff75a5d (diff)
download	GradeBook-d1191c062e2c14b44c5bfe16dbd593ce6d400700.tar.gz GradeBook-d1191c062e2c14b44c5bfe16dbd593ce6d400700.zip