I am using sqlite3 with ruby and hope I'm not out of place here in ask for
some help on how to stop or reduce injection threats via sql statements made
by a user be it accidental or deliberate.
I want to build a select query from user entered data and then return rows
that match.
e.g. stmt = "select * from customers where cust_no = #{uservar}"
row = db.execute(stmt)
note:
#{uservar} is saying put the value contained in uservar into this string
statement.
I am not 100% sure on how binding works with ruby either and would like to
use ruby's DBI (equivalent to an OBDC driver of old).
could user active record but that will be the next step and think it's nice
to know how to reduce tese sort of threats anyway.
My knowledge of SQL is enough to get by on.
thanks,
Dave.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
