"Scott Hess" <[EMAIL PROTECTED]> wrote: > You really should be using an SQLite-specific quote function > somewhere. But ... I don't see one in there (I'd have expected it to > be something like [db quote $arg]). You could work around it by doing > something like [db eval {select quote($arg)}], but that feels clunky. > > The quoting you're using will work fine for many cases, but are > subject to SQL injection attack. >
The built-in quoting function is: zQuoted = sqlite3_mprintf("%Q", zUnquoted); But the %Q quoter does exactly what Andy's code does. It does exactly the same thing as '[string map {' ''} $unquoted]' So if you know of a way that this can lead to an SQL injection attack, please let us know so that we can fix the %Q quoter. -- D. Richard Hipp <[EMAIL PROTECTED]> ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------