Hi all, just seeking some opinions, and perhaps some dev indications about deprecation, in relation to the sqlite3_exec facility. I kind of like the callback functionality in certain cases as it is convenient in some circumstances where the sql injection problem is not an issue.
Ok I say it is not an issue, but am I right. I am no security expert and have often been surprised at some of the hack techniques used over the years. The sql injection issue as far as I can tell depends on where the offending sql originates, but don't hesitate to contradict that assumption if you believe it is wrong. In a scenario where the sql supplied to the callback routine is application generated or indeed application constant based does the sql injection threat disappear? Is this a valid assumption? In other words there is no user supplied sql via arguments, with only database name and table name required from the user. This would appear to be immune to that technique or am I misguided? I'm never certain when it comes to security stuff, I hate it. In a similar vein I noted in an O'Reilly publication it mentioned that the exec method was semi depracated and should be avoided. I wondered what the view of the SQLite dev crew was. and if there were any plans in the future to drop the exec function? In light of the teams focus on backward compatibility I suspect there are no such plans but I thought I'd ask anyway just to be sure. Thanks in advance for any helpful comments. -- Regards, Michael.j.Falconer. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users