From ab7688a44cf972401d4420a515aef4d03f2122ed Mon Sep 17 00:00:00 2001
From: "Eugeniy E. Mikhailov" <evgmik@gmail.com>
Date: Tue, 27 Sep 2022 00:06:26 -0400
Subject: AddColumnNonWeb protected against SQL injection

---
 GradeBook_lib.tcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl
index f2499cc..914370f 100755
--- a/GradeBook_lib.tcl
+++ b/GradeBook_lib.tcl
@@ -641,7 +641,7 @@ proc ColName2SqlSafeForm {colname} {
 }
 
 proc AddUserNonWeb { first_name last_name user_name {group_name {guest}} {id_number {}} {section_num {} } } {
-	set eval_str [concat INSERT INTO GradesTable (FirstName, LastName, UserName, GroupName, IdNum, SectionNum) VALUES('$first_name', '$last_name', '$user_name', '$group_name', '$id_number', '$section_num')]
+	set eval_str [concat INSERT INTO GradesTable (FirstName, LastName, UserName, GroupName, IdNum, SectionNum) VALUES(:first_name, :last_name, :user_name, :group_name, :id_number, :section_num)]
 	set err [catch {db eval $eval_str  } errStat]
 	if { $err } {
 		htmlErrorMsg  $errStat 
-- 
cgit v1.2.3