Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Igor Tandetnik
Gert Corthout wrote: > I can see only 1 very long-shot security issue. Assuming I am a malafide > programmer at our company I could add ESCAPE ']' to a > vital query that takes user input and then use ]' to break out and inject > some SQL in the live system, right?

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Simon Slavin
On 20 Oct 2011, at 1:55pm, Gert Corthout wrote: > I can see only 1 very long-shot security issue. Assuming I am a malafide > programmer at our company I could add ESCAPE ']' to a vital query that takes > user input and then use ]' to break out and inject some SQL in the live > system, right?

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Gert Corthout
whoops, forget that, it's not possible as the sql injection would undo the ESCAPE clause > From: gert_corth...@hotmail.com > To: sqlite-users@sqlite.org > Date: Thu, 20 Oct 2011 14:55:00 +0200 > Subject: Re: [sqlite] string conatenated sql statements > > > >

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Gert Corthout
> To: sqlite-users@sqlite.org > From: itandet...@mvps.org > Date: Thu, 20 Oct 2011 07:55:26 -0400 > Subject: Re: [sqlite] string conatenated sql statements > > Gert Corthout <gert_corth...@hotmail.com> wrote: > > My argument so far is that parametrized

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Black, Michael (IS)
Information Systems From: sqlite-users-boun...@sqlite.org [sqlite-users-boun...@sqlite.org] on behalf of Gert Corthout [gert_corth...@hotmail.com] Sent: Thursday, October 20, 2011 3:21 AM To: sqlite-users@sqlite.org Subject: EXT :[sqlite] string conatenated sql

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Richard Hipp
On Thu, Oct 20, 2011 at 7:55 AM, Igor Tandetnik wrote: > Gert Corthout wrote: > > My argument so far is that parametrized queries are way faster if used > properly. > > The next obvious argument is sql injection. On all string input a simple >

Re: [sqlite] string conatenated sql statements

2011-10-20 Thread Igor Tandetnik
Gert Corthout wrote: > My argument so far is that parametrized queries are way faster if used > properly. > The next obvious argument is sql injection. On all string input a simple > conversion is done: any ' is replaced by '', that's it. > This seems to block off any

[sqlite] string conatenated sql statements

2011-10-20 Thread Gert Corthout
hello, I am looking at the data layer of my company's software and noticed we build our queries with string concatenation (including user input). As a former Oracle and SqlServer developer this sends shivers down my spine. I am trying to convince management to get a budget for a switch to