"Scott Hess" <[EMAIL PROTECTED]> wrote:
> You really should be using an SQLite-specific quote function
> somewhere. But ... I don't see one in there (I'd have expected it to
> be something like [db quote $arg]). You could work around it by doing
> something like [db eval {select quote($arg)}], but that feels clunky.
>
> The quoting you're using will work fine for many cases, but are
> subject to SQL injection attack.
>
The built-in quoting function is:
zQuoted = sqlite3_mprintf("%Q", zUnquoted);
But the %Q quoter does exactly what Andy's code does.
It does exactly the same thing as
'[string map {' ''} $unquoted]'
So if you know of a way that this can lead to an SQL
injection attack, please let us know so that we can
fix the %Q quoter.
--
D. Richard Hipp <[EMAIL PROTECTED]>
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
