diff options
| author | Eugeniy Mikhailov <evgmik@gmail.com> | 2012-12-12 09:47:22 -0500 |
|---|---|---|
| committer | Eugeniy Mikhailov <evgmik@gmail.com> | 2012-12-12 09:47:22 -0500 |
| commit | 1441155d94cba50fd59bf2fb12dde3c4c3569db7 (patch) | |
| tree | 01097d3c8e3e95505a6ef68274597c21ad8dff19 | |
| parent | d25be6e92b8a39594284e9ba60bb97506a05e233 (diff) | |
| download | GradeBook-1441155d94cba50fd59bf2fb12dde3c4c3569db7.tar.gz GradeBook-1441155d94cba50fd59bf2fb12dde3c4c3569db7.zip | |
check against sql injection during password database accessv2.0.4
| -rwxr-xr-x | GradeBook_lib.tcl | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl index 340bed2..68b74cc 100755 --- a/GradeBook_lib.tcl +++ b/GradeBook_lib.tcl @@ -1824,7 +1824,8 @@ proc Create_Passwords_Table {} { } proc is_User_Registered_in_Passwords_DB { user_requested } { - set eval_str [list SELECT UserName FROM PasswordsTable WHERE UserName='$user_requested'] + # note the use of : instead of $ (this sqlite feature) + set eval_str {SELECT UserName FROM PasswordsTable WHERE UserName=:user_requested} set err [catch { pdb eval $eval_str registered_user_names_array {} } errStat ] |