Sorry for posting twice but...
how does the method you have given me differ to mine?
eg lets say this is the scenario....
uservar = "delete * from customers where * = *"
>>e.g. stmt = "select * from customers where cust_no = #{uservar}"
>> row = db.execute(stmt)
Now i could understand how my code could possibly allow the records in the
table to be deleted but what's the difference to the code you gave me?
stmt = "select * from customers where cust_no = ?"
row = db.execute(stmt, uservar)
Also I've just notice that you've used the variable as a parameter where in
my 1st reply I didn't have it - my failure to really look at the code.
dave.
2009/6/15 John Elrick <john.elr...@fenestra.com>
> dave lilley wrote:
> > I am using sqlite3 with ruby and hope I'm not out of place here in ask
> for
> > some help on how to stop or reduce injection threats via sql statements
> made
> > by a user be it accidental or deliberate.
> >
> > I want to build a select query from user entered data and then return
> rows
> > that match.
> >
> > e.g. stmt = "select * from customers where cust_no = #{uservar}"
> >
> > row = db.execute(stmt)
> >
>
>
> stmt = "select * from customers where cust_no = ?"
>
> row = db.execute(stmt, uservar)
>
>
> HTH
>
>
> John
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
