From d1191c062e2c14b44c5bfe16dbd593ce6d400700 Mon Sep 17 00:00:00 2001
From: Eugeniy Mikhailov <evgmik@gmail.com>
Date: Tue, 18 Dec 2012 10:51:46 -0500
Subject: screen potential sql injection in Authenticate_User proc

---
 GradeBook_lib.tcl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'GradeBook_lib.tcl')

diff --git a/GradeBook_lib.tcl b/GradeBook_lib.tcl
index 4876c82..f379533 100755
--- a/GradeBook_lib.tcl
+++ b/GradeBook_lib.tcl
@@ -1868,7 +1868,7 @@ proc Authenticate_User { user_requested password } {
 		return __non_existing_user__
 	}
 
-	set eval_str [list SELECT UserName FROM PasswordsTable WHERE UserName='$user_requested' AND PasswordHash='$PasswordHash']
+	set eval_str [list SELECT UserName FROM PasswordsTable WHERE UserName=:user_requested AND PasswordHash=:PasswordHash]
 	set err [catch {
 		pdb eval $eval_str valid_user_name_array {}
 	} errStat ]
-- 
cgit v1.2.3