Hi all,
just seeking some opinions, and perhaps some dev indications about
deprecation, in relation to the sqlite3_exec facility. I kind of like the
callback functionality in certain cases as it is convenient in some
circumstances where the sql injection problem is not an issue.
Ok I say it is not an issue, but am I right. I am no security expert and
have often been surprised at some of the hack techniques used over the
years. The sql injection issue as far as I can tell depends on where the
offending sql originates, but don't hesitate to contradict that assumption
if you believe it is wrong.
In a scenario where the sql supplied to the callback routine is application
generated or indeed application constant based does the sql injection
threat disappear? Is this a valid assumption? In other words there is no
user supplied sql via arguments, with only database name and table name
required from the user. This would appear to be immune to that technique or
am I misguided? I'm never certain when it comes to security stuff, I hate
it.
In a similar vein I noted in an O'Reilly publication it mentioned that the
exec method was semi depracated and should be avoided. I wondered what the
view of the SQLite dev crew was. and if there were any plans in the future
to drop the exec function? In light of the teams focus on backward
compatibility I suspect there are no such plans but I thought I'd ask
anyway just to be sure. Thanks in advance for any helpful comments.
--
Regards,
Michael.j.Falconer.
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
