Yes that has a sql injection vulnerability this doesn't:
"execute procedure esp_web_new_user({0},{1},{2},{3},{4},{5})".format(db.
_adapter.dialect.quote(str(form.vars.f)), db._adapter.dialect.quote(str(form
.vars.i)),db._adapter.dialect.quote(str(form.vars.pser)), db._adapter.
dialect.quote(str(form.vars.pnum)), db._adapter.dialect.quote(str(form.vars.
num)), db._adapter.dialect.quote(auth.user_id))
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
