Recall that SQLite was original created as a Tcl (https://www.tcl.tk/)
extension.
Using TCL, the first example reported in the article would be coded like this:
set result [db eval {SELECT count(*) FROM users WHERE userid=$_POST(newid)}]
With the TCL interface to SQLite, the code above is *not* an SQL
injection. Because the SQL statement is enclosed in {...} the
$_POST(newid) is expanded but is passed to the SQLite parser as a
parameter. Then before the SQL statement is run, the value in the
$_POST(newid) TCL variable is bound to the parameter with the same
name.
SQLite understands TCL-style variable names as parameters in SQL
statements, for exactly this reason.
It is still possible to get an SQL injection using the TCL interface
(for example, by enclosing the SQL statement in "..." instead of
{...}) but you almost have to try to make the error with TCL. It are
less likely to make an SQL injection error by mistake.
--
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
