Gert Corthout wrote:
> I can see only 1 very long-shot security issue. Assuming I am a malafide
> programmer at our company I could add ESCAPE ']' to a
> vital query that takes user input and then use ]' to break out and inject
> some SQL in the live system, right?
A malicious developer with a
On 20 Oct 2011, at 1:55pm, Gert Corthout wrote:
> I can see only 1 very long-shot security issue. Assuming I am a malafide
> programmer at our company I could add ESCAPE ']' to a vital query that takes
> user input and then use ]' to break out and inject some SQL in the live
> system, right?
whoops, forget that, it's not possible as the sql injection would undo the
ESCAPE clause
> From: gert_corth...@hotmail.com
> To: sqlite-users@sqlite.org
> Date: Thu, 20 Oct 2011 14:55:00 +0200
> Subject: Re: [sqlite] string conatenated sql statements
>
>
>
> To: sqlite-users@sqlite.org
> From: itandet...@mvps.org
> Date: Thu, 20 Oct 2011 07:55:26 -0400
> Subject: Re: [sqlite] string conatenated sql statements
>
> Gert Corthout wrote:
> > My argument so far is that parametrized queries are way faster if used
> >
Information Systems
From: sqlite-users-boun...@sqlite.org [sqlite-users-boun...@sqlite.org] on
behalf of Gert Corthout [gert_corth...@hotmail.com]
Sent: Thursday, October 20, 2011 3:21 AM
To: sqlite-users@sqlite.org
Subject: EXT :[sqlite] string conatenated sql
On Thu, Oct 20, 2011 at 7:55 AM, Igor Tandetnik wrote:
> Gert Corthout wrote:
> > My argument so far is that parametrized queries are way faster if used
> properly.
> > The next obvious argument is sql injection. On all string input a simple
> conversion is done: any ' is replaced by '', that's
Gert Corthout wrote:
> My argument so far is that parametrized queries are way faster if used
> properly.
> The next obvious argument is sql injection. On all string input a simple
> conversion is done: any ' is replaced by '', that's it.
> This seems to block off any sql injection right there a
hello,
I am looking at the data layer of my company's software and noticed we build
our queries with string concatenation (including user input). As a former
Oracle and SqlServer developer this sends shivers down my spine. I am trying to
convince management to get a budget for a switch to par
8 matches
Mail list logo