On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
On Sat, Dec 5, 2009 at 8:37 AM, Don Baccus <[email protected]>
wrote:
On Dec 4, 2009, at 12:03 PM, Tom Jackson wrote:
The problem remains for other databases using the ns_db APIs. The
quoting examples are general, but don't always work.
The person's using PG so a PG-specific solution solves the problem.
No reason to make this more complex when a simple solution suffices.
Really? The title of the post says AOLserver is vulnerable. The
example code uses [ns_db]. In case anyone else is interested, you can
avoid SQL injection without using bind variables, regardless of which
database or driver you use.
Another problem is working with nulls. You can't quote null and
postgresql distinguishes the empty string from null.
Tcl doesn't implement the null concept. 'set foo ""' sets foo to
the empty
string, not null.
Tcl can write a query string which uses the keyword NULL.
Unfortunately the simple (but very nice and also safe) bind variable
concept doesn't handle this common requirement.
tom jackson
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[email protected]
> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the
Subject: field of your email blank.
----
Don Baccus
http://donb.photo.net
http://birdnotes.net
http://openacs.org
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
