Recall that SQLite was original created as a Tcl (https://www.tcl.tk/) extension.
Using TCL, the first example reported in the article would be coded like this: set result [db eval {SELECT count(*) FROM users WHERE userid=$_POST(newid)}] With the TCL interface to SQLite, the code above is *not* an SQL injection. Because the SQL statement is enclosed in {...} the $_POST(newid) is expanded but is passed to the SQLite parser as a parameter. Then before the SQL statement is run, the value in the $_POST(newid) TCL variable is bound to the parameter with the same name. SQLite understands TCL-style variable names as parameters in SQL statements, for exactly this reason. It is still possible to get an SQL injection using the TCL interface (for example, by enclosing the SQL statement in "..." instead of {...}) but you almost have to try to make the error with TCL. It are less likely to make an SQL injection error by mistake. -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users