Simon, There are fields (columns) in your invoices table named 1.23 and 7524? Why did you do this (or did you just use the wrong quotes around text strings?)
--- The fact that there's a Highway to Hell but only a Stairway to Heaven says a lot about anticipated traffic volume. >-----Original Message----- >From: sqlite-users [mailto:sqlite-users- >boun...@mailinglists.sqlite.org] On Behalf Of Simon Slavin >Sent: Wednesday, 17 April, 2019 12:22 >To: SQLite mailing list >Subject: Re: [sqlite] Use cases for sqlite3_value_frombind()? > >On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski <pontia...@gmail.com> >wrote: > >> What measures the trustworthiness? At what point would the running >> application be notified that the statement was bound or injection >avenue? > >You can include parameters as text in your SQL command: > > UPDATE invoices SET toBePaid="1.23" WHERE customerId="7524" > >If someone is attacking your server using SQL injection on a whole >statement, that's what they'd do. And sqlite3_value_frombind() would >return FALSE. Of course, to detect this the application does need to >call sqlite3_value_frombind() on each parameter it cares about. >_______________________________________________ >sqlite-users mailing list >sqlite-users@mailinglists.sqlite.org >http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users