Hello! On Thursday 24 September 2009 17:56:08 Bas Scheffers wrote: > The two main attack vectors for any web application are: remote code > execution and SQL injection. The first one could occur if you > dynamically create Tcl code using values sent by a user (either as > form data, part of the URL, part of headers, anything) and then use > subst or eval on it. Don't do that! :)
And Tcl 8.5 has very useful operator {*} for list substitution. > SQL injection (google it) is > pretty much the same, except on the sql level. Always use > ns_sqlquotevalue or a routine you create yourself to properly quote > ANY value. Just because you are expecting a numeric value to come > back, you can't think that you won't have to check it. You must check > if it is a number value. ("string is integer -strict" is your friend) You can quote all values as text and make type translation when is needed. As example, for PostgreSQL proc ns_dbquotevalue {value {type text}} { if {[string match "" $value]} { return "''" } regsub -all "'" $value "''" value if {$type eq "text"} {return "'$value'"} return "'$value'::$type" } A query will like to puts "select [ns_dbquotevalue 999 int];" select '999'::int; Best regards, Alexey Pechnikov. http://pechnikov.tel/ -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.