On Fri, 5 Oct 2007 09:41:27 -0700, Scott Hess wrote
> On 10/5/07, Andy Goth <[EMAIL PROTECTED]> wrote:
> > proc sql_expand {varname} {
> > upvar 1 $varname var
> > set result [list]
> > foreach elem $var {
> > lappend result '[string map {' ''} $elem]'
> > }
> > return [join $result ,]
> > }
>
> You really should be using an SQLite-specific quote function
> somewhere.
I didn't know SQLite provided one. It normally doesn't need one, thanks to
its internal expansion of Tcl variables. Oh wait, it has quote(), but this
would not work for me because (by design!) its result is formatted in such a
way that SQLite interprets it as a single value, *not* a list. Or I could
invoke it repeatedly, once per element.
But after all that overhead I imagine I would be better off using Tcl to
expand my data into multiple variables; at least that way all bytecoding gets
cached and I'm guaranteed to be immune to injection.
> You could work around it by doing something like [db eval {select
> quote($arg)}], but that feels clunky.
I'm pretty sure I know how SQLite will perform quote()'ing, and I can
implement it in pure Tcl easily enough, so I might as well leave it in Tcl.
Tcl should be able to bytecode string manipulation better than SQLite; string
manipulation is Tcl's raison d'ĂȘtre.
But maybe I'm wrong about how quote() works. Can somebody confirm? In my
mind, quote($x) is equivalent to '[string map {' ''} $x]' .
> The quoting you're using will work fine for many cases, but are
> subject to SQL injection attack.
Could you please provide an example?
--
Andy Goth
<[EMAIL PROTECTED]>
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
