On 4/17/19, Peter da Silva wrote:
> whether it's a
> bound parameter or a constant in the query string doesn't tell you if it's
> from a trusted source or not.
How do you get an SQL injection vulnerability to call sqlite3_bind()?
Worse case is that the attacker can make use of an existing parame
I don't think I would use this as a security indicator, whether it's a
bound parameter or a constant in the query string doesn't tell you if it's
from a trusted source or not. This is more an indicator that this value is
likely to change in subsequent queries.
__
nticipated traffic volume.
>-Original Message-
>From: sqlite-users [mailto:sqlite-users-
>boun...@mailinglists.sqlite.org] On Behalf Of Keith Medcalf
>Sent: Wednesday, 17 April, 2019 12:38
>To: SQLite mailing list
>Subject: Re: [sqlite] Use cases for sqlite3_value_frombind(
On 17 Apr 2019, at 7:37pm, Keith Medcalf wrote:
> There are fields (columns) in your invoices table named 1.23 and 7524? Why
> did you do this (or did you just use the wrong quotes around text strings?)
I used the wrong quotes. Sorry, I've been doing things in other languages
recently. Keit
olume.
>-Original Message-
>From: sqlite-users [mailto:sqlite-users-
>boun...@mailinglists.sqlite.org] On Behalf Of Simon Slavin
>Sent: Wednesday, 17 April, 2019 12:22
>To: SQLite mailing list
>Subject: Re: [sqlite] Use cases for sqlite3_value_frombind()?
>
>On 17 Apr 2019, a
So it becomes the responsibility of the application to acknowledge when
binding is allowed or not. Got it. Clear now. Thanks.
I was thinking small in this case. My own app, I know what's being fed, I
already bind most things, but I absolutely can see the use of this. Time
to see if I can add
On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski wrote:
> What measures the trustworthiness? At what point would the running
> application be notified that the statement was bound or injection avenue?
You can include parameters as text in your SQL command:
UPDATE invoices SET toBePaid="1.23"
What measures the trustworthiness? At what point would the running
application be notified that the statement was bound or injection avenue?
On Wed, Apr 17, 2019 at 12:40 PM Richard Hipp wrote:
> On 4/17/19, Jens Alfke wrote:
> > The new sqlite3_value_frombind() function sounds intriguing — "T
On 4/17/19, Jens Alfke wrote:
> The new sqlite3_value_frombind() function sounds intriguing — "True if value
> originated from a bound parameter
> — but I’m drawing a blank thinking of use cases for it. Optimizations?
> Security? What was the rationale for adding it?
This facilities additional s
The commit that added it (
https://www3.sqlite.org/cgi/src/info/b3f2c3205a28dc21) says that it's used
to improve fts3_tokenizer(), so maybe look at the diffs of that function to
see how it's used there to get an idea for what it's intended for?
On Wed, Apr 17, 2019, 9:22 AM Jens Alfke wrote:
> T
The new sqlite3_value_frombind() function sounds intriguing — "True if value
originated from a bound parameter
— but I’m drawing a blank thinking of use cases for it. Optimizations?
Security? What was the rationale for adding it?
—Jens
___
sqlite-user
11 matches
Mail list logo