Forum OpenACS Development: Re: Possible Vulnerablity in basic-info-update-2.tcl

Posted by Don Baccus on
Well the current scheme assumes you know the type of what you're passing, and that you'll say "user_id:integer,notnull" when you write your page contract.  If you find pages not doing that, submit patches to your heart's content.

Using db attributes would add some additional security, relieving the programmer of some the burden, but the db hit would be too expense IMO ... I think ad_page_contract, properly used, is a reasonable compromise.