Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Gerry Snyder
On Thu, Jul 16, 2009 at 4:20 AM, Michael Schlenker wrote: > > > This is perfectly safe: > set result [db1 eval {select * from X where label = $myStringValue and id > > $compId}] > > But you MUST use {} to quote your query and not "", so sqlite gets to do > the > substitution (or

Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Adam DeVita
http://unixwiz.net/techtips/sql-injection.html is a nice introduction to sql injection attacks. (Learning by example) It also explains why binding is far superior to trying to invent a set of rules and cleaning the input. . On Thu, Jul 16, 2009 at 9:01 AM, Michael Schlenker

Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Michael Schlenker
Fredrik Karlsson schrieb: > On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker wrote: >> Your working far too hard. The sqlite Tcl binding already does all thats >> needed. >> >> This is perfectly safe: >> set result [db1 eval {select * from X where label = $myStringValue and id

Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Fredrik Karlsson
On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker wrote: > Your working far too hard. The sqlite Tcl binding already does all thats > needed. > > This is perfectly safe: > set result [db1 eval {select * from X where label = $myStringValue and id > > $compId}] > > But you MUST

Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Michael Schlenker
Fredrik Karlsson schrieb: > Dear list, > > Sorry for jumping onto the list mainly to ask a question, but it is an > imporant one, and I have failed to find the answer on Google. > I am developing a prototype of an application in Tcl using sqlite as > the backend database. Now, I know that I will

Re: [sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Pavel Ivanov
Does Tcl supports binding of parameters to prepared statement? If yes then do just that and you will not need to do any "quotes" and think of any "ifs". Pavel On Thu, Jul 16, 2009 at 3:49 AM, Fredrik Karlsson wrote: > Dear list, > > Sorry for jumping onto the list mainly to

[sqlite] Protect against SQL injection inside of the database?

2009-07-16 Thread Fredrik Karlsson
Dear list, Sorry for jumping onto the list mainly to ask a question, but it is an imporant one, and I have failed to find the answer on Google. I am developing a prototype of an application in Tcl using sqlite as the backend database. Now, I know that I will be dealing with quite naïve users,