On Tue, Mar 15, 2016 at 10:45:32AM +0530, Shaan Repswal wrote:
> The value of the textbox is in String. I just have to call a "get_text()"
> method on a textbox object and I get the string value. I used it just a few
> minutes ago. It's working now. Thanks a lot. I'm not too worried about sql
> injections just yet because the only people about to use this application
> are supposed to have all access anyway.
This is not at all about SQL injections. If I understand
correctly you are attempting to use a user supplied string
for a column name in a table.
In this case you will _have_ to preprocess the user input to
make it even _suitable_ for becoming a column name. At that
point not a single thought has been spent on any security
implications of such an approach yet.
Karsten
--
GPG key ID E4071346 @ eu.pool.sks-keyservers.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
