On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski <pontia...@gmail.com> wrote:
> What measures the trustworthiness? At what point would the running > application be notified that the statement was bound or injection avenue? You can include parameters as text in your SQL command: UPDATE invoices SET toBePaid="1.23" WHERE customerId="7524" If someone is attacking your server using SQL injection on a whole statement, that's what they'd do. And sqlite3_value_frombind() would return FALSE. Of course, to detect this the application does need to call sqlite3_value_frombind() on each parameter it cares about. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users