How about something like:
char *sql = g_strdup_printf ("INSERT INTO test(id) VALUES('%s')", p);
doSQL (sql);
g_free (sql);
You also want to check that the user entry is valid and doesn't
contain things like quotes. Otherwise some joker could enter something
like:
'); update person set salary=100000 where id=1234; insert into test(id)
values('a
into your entry box and whoopee, hack your database.
--tml
_______________________________________________
gtk-list mailing list
[email protected]
http://mail.gnome.org/mailman/listinfo/gtk-list
