On Thu, Jul 16, 2009 at 4:20 AM, Michael Schlenker wrote:
>
>
> This is perfectly safe:
> set result [db1 eval {select * from X where label = $myStringValue and id >
> $compId}]
>
> But you MUST use {} to quote your query and not "", so sqlite gets to do
> the
> substitution (or
http://unixwiz.net/techtips/sql-injection.html is a nice introduction to
sql injection attacks. (Learning by example) It also explains why binding
is far superior to trying to invent a set of rules and cleaning the input.
.
On Thu, Jul 16, 2009 at 9:01 AM, Michael Schlenker
Fredrik Karlsson schrieb:
> On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker wrote:
>> Your working far too hard. The sqlite Tcl binding already does all thats
>> needed.
>>
>> This is perfectly safe:
>> set result [db1 eval {select * from X where label = $myStringValue and id
On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker wrote:
> Your working far too hard. The sqlite Tcl binding already does all thats
> needed.
>
> This is perfectly safe:
> set result [db1 eval {select * from X where label = $myStringValue and id >
> $compId}]
>
> But you MUST
Fredrik Karlsson schrieb:
> Dear list,
>
> Sorry for jumping onto the list mainly to ask a question, but it is an
> imporant one, and I have failed to find the answer on Google.
> I am developing a prototype of an application in Tcl using sqlite as
> the backend database. Now, I know that I will
Does Tcl supports binding of parameters to prepared statement?
If yes then do just that and you will not need to do any "quotes" and
think of any "ifs".
Pavel
On Thu, Jul 16, 2009 at 3:49 AM, Fredrik Karlsson wrote:
> Dear list,
>
> Sorry for jumping onto the list mainly to
Dear list,
Sorry for jumping onto the list mainly to ask a question, but it is an
imporant one, and I have failed to find the answer on Google.
I am developing a prototype of an application in Tcl using sqlite as
the backend database. Now, I know that I will be dealing with quite
naïve users,
7 matches
Mail list logo