Hi,
I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this:
set sql_query "select * from sometable where entrynumber = $id"
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection
...
I would guess that "ns_db select" would make any damaging injected dml
statements impossible. Is that correct?
In a previous discussion thread here ("ns_db and bind variable
support") I see "ns_db prepare..." mentioned. Is that a safer way to
perform db queries in adp pages?
/Björn
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
