I am using sqlite3 with ruby and hope I'm not out of place here in ask for some help on how to stop or reduce injection threats via sql statements made by a user be it accidental or deliberate.
I want to build a select query from user entered data and then return rows that match. e.g. stmt = "select * from customers where cust_no = #{uservar}" row = db.execute(stmt) note: #{uservar} is saying put the value contained in uservar into this string statement. I am not 100% sure on how binding works with ruby either and would like to use ruby's DBI (equivalent to an OBDC driver of old). could user active record but that will be the next step and think it's nice to know how to reduce tese sort of threats anyway. My knowledge of SQL is enough to get by on. thanks, Dave. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users