On Fri, Jul 21, 2017 at 11:07 AM, Jens Alfke <j...@mooseyard.com> wrote:
> > > On Jul 21, 2017, at 6:45 AM, Peter Da Silva < > peter.dasi...@flightaware.com> wrote: > > > > Have a look at prepared statements and statement parameters. > > Agreed. > > PLEASE, PLEASE, do not try to splice parameters into SQL strings! Any > mistakes in this code leave you vulnerable to SQL Injection Attacks, which > are depressingly common and cause great damage in the real world. (Some of > the examples already posted in this thread contain such mistakes…) > > SQLite, like every other SQL database I know of, has APIs that let you > safely plug runtime parameters into statements without having to do string > concatenation or quoting or sanitization. The resulting code is safe, more > readable, and as a bonus it’s faster because the database only has to > compile and optimize the statement once, no matter how many times it runs. > > —Jens > And, just to interject a politically incorrect statement, any "programmer" who does not use the safer interface is either __extremely__ ignorant, or arrogantly stupid, and needs to be forced to write all their code in a "baby" language like BASIC until they learn better. Either that or have their fingers broken. -- Veni, Vidi, VISA: I came, I saw, I did a little shopping. Maranatha! <>< John McKown _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
