Hi, I've been alerted that a site I maintain, running on AOLserver 4.5.0 using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this: set sql_query "select * from sometable where entrynumber = $id" set db [ns_db gethandle] set selection [ns_db select $db $sql_query] ns_db getrow $db $selection ... I would guess that "ns_db select" would make any damaging injected dml statements impossible. Is that correct? In a previous discussion thread here ("ns_db and bind variable support") I see "ns_db prepare..." mentioned. Is that a safer way to perform db queries in adp pages? /Björn -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to <lists...@listserv.aol.com> with the body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: field of your email blank.