On Sat, Dec 5, 2009 at 8:37 AM, Don Baccus <dhog...@pacifier.com> wrote: > On Dec 4, 2009, at 12:03 PM, Tom Jackson wrote: >> >> The problem remains for other databases using the ns_db APIs. The >> quoting examples are general, but don't always work. > > The person's using PG so a PG-specific solution solves the problem. > > No reason to make this more complex when a simple solution suffices. >
Really? The title of the post says AOLserver is vulnerable. The example code uses [ns_db]. In case anyone else is interested, you can avoid SQL injection without using bind variables, regardless of which database or driver you use. >> Another problem is working with nulls. You can't quote null and >> postgresql distinguishes the empty string from null. > > > Tcl doesn't implement the null concept. 'set foo ""' sets foo to the empty > string, not null. Tcl can write a query string which uses the keyword NULL. Unfortunately the simple (but very nice and also safe) bind variable concept doesn't handle this common requirement. tom jackson -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.
