From 93a0a9f6bca5ed195839d1c398bb5c362760f0c7 Mon Sep 17 00:00:00 2001
From: Eugeniy Mikhailov <evgmik@gmail.com>
Date: Tue, 18 Dec 2012 12:52:11 -0500
Subject: sql injection protection in SelectItemFromCourseInfoTable

---
 GradeBook_lib.tcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'GradeBook_lib.tcl')

diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl
index bf4d7ca..d7b9b5f 100755
--- a/GradeBook_lib.tcl
+++ b/GradeBook_lib.tcl
@@ -384,7 +384,7 @@ proc CreateCourseInfoTable {db} {
 
 proc SelectItemFromCourseInfoTable { item } {
 	set value {}
-	set eval_str "SELECT \"Value\"  FROM CourseInfoTable  where Item=\"$item\""
+	set eval_str "SELECT Value  FROM CourseInfoTable  where Item=:item"
 	set err [catch {
 		db eval $eval_str v {
 			set value $v(Value)
-- 
cgit v1.2.3