<security_hat>

> Thank you very much. These suggestions do just what I need - I may
> tweek them a bit, but as I use JavaScript to do a lot of the
> validation before anything is sent to the ruby script, I won't need
> to alter much.

WHOA, WHOA, WHOA, WHOA, WHOA!  JavaScript?  That's a really _BAD_
practice to get into and something I hope is _only_ used ON TOP of
validating the content on the server once it has been sent.  While
it's a nice way of instantaneously providing feedback to a user,
JavaScript can not, and should not be relied on for data validation.
I don't want to see Ruby become the security nightmare that PHP is.

(Web) developers, please escape and quote variables judiciously.

> > Using DBI it might look like this:
> > 
> > parms=... # Get params from CGI
> > dbh=DBI.connect('DBI:Mysql:databasename','username','password')
> > insh=dbh.prepare('insert into agent(_case,name1,name2) values(?,?,?)')
> > insh.execute([parms['_case'],parms['name1'],parms['name2']])

This is a VERY good practice that I would implore everyone to use for
all SQL statements that make use of Ruby variables because it DOES
quote variables _for you_.

</security_hat>

-sc

-- 
Sean Chittenden