On 4/17/19, Peter da Silva wrote:
> whether it's a
> bound parameter or a constant in the query string doesn't tell you if it's
> from a trusted source or not.
How do you get an SQL injection vulnerability to call sqlite3_bind()?
Worse case is that the attacker can make use of an existing
I don't think I would use this as a security indicator, whether it's a
bound parameter or a constant in the query string doesn't tell you if it's
from a trusted source or not. This is more an indicator that this value is
likely to change in subsequent queries.
pated traffic volume.
>-Original Message-
>From: sqlite-users [mailto:sqlite-users-
>boun...@mailinglists.sqlite.org] On Behalf Of Keith Medcalf
>Sent: Wednesday, 17 April, 2019 12:38
>To: SQLite mailing list
>Subject: Re: [sqlite] Use cases for sqlite3_value_frombind()?
&g
On 17 Apr 2019, at 7:37pm, Keith Medcalf wrote:
> There are fields (columns) in your invoices table named 1.23 and 7524? Why
> did you do this (or did you just use the wrong quotes around text strings?)
I used the wrong quotes. Sorry, I've been doing things in other languages
recently.
.
>-Original Message-
>From: sqlite-users [mailto:sqlite-users-
>boun...@mailinglists.sqlite.org] On Behalf Of Simon Slavin
>Sent: Wednesday, 17 April, 2019 12:22
>To: SQLite mailing list
>Subject: Re: [sqlite] Use cases for sqlite3_value_frombind()?
>
>On 17 Apr 2019, at 6:3
So it becomes the responsibility of the application to acknowledge when
binding is allowed or not. Got it. Clear now. Thanks.
I was thinking small in this case. My own app, I know what's being fed, I
already bind most things, but I absolutely can see the use of this. Time
to see if I can add
On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski wrote:
> What measures the trustworthiness? At what point would the running
> application be notified that the statement was bound or injection avenue?
You can include parameters as text in your SQL command:
UPDATE invoices SET
What measures the trustworthiness? At what point would the running
application be notified that the statement was bound or injection avenue?
On Wed, Apr 17, 2019 at 12:40 PM Richard Hipp wrote:
> On 4/17/19, Jens Alfke wrote:
> > The new sqlite3_value_frombind() function sounds intriguing —
On 4/17/19, Jens Alfke wrote:
> The new sqlite3_value_frombind() function sounds intriguing — "True if value
> originated from a bound parameter
> — but I’m drawing a blank thinking of use cases for it. Optimizations?
> Security? What was the rationale for adding it?
This facilities additional
The commit that added it (
https://www3.sqlite.org/cgi/src/info/b3f2c3205a28dc21) says that it's used
to improve fts3_tokenizer(), so maybe look at the diffs of that function to
see how it's used there to get an idea for what it's intended for?
On Wed, Apr 17, 2019, 9:22 AM Jens Alfke wrote:
>
The new sqlite3_value_frombind() function sounds intriguing — "True if value
originated from a bound parameter
— but I’m drawing a blank thinking of use cases for it. Optimizations?
Security? What was the rationale for adding it?
—Jens
___
11 matches
Mail list logo