Fredrik Karlsson schrieb: > Dear list, > > Sorry for jumping onto the list mainly to ask a question, but it is an > imporant one, and I have failed to find the answer on Google. > I am developing a prototype of an application in Tcl using sqlite as > the backend database. Now, I know that I will be dealing with quite > naïve users, who will not think that "!' and simialar characters are > evil and potentially dangerous in a SQL database context. So, now I > need to make sure that I am taking all the precautions I can to > protect the database from evil / naïve users, and since parts of the > application may be ported to C for speed later, I would prefer as much > of it to happen in the SQL queries themselves, in order to make sure > that the behaviour stays constant when porting. > > My currrent strategy is to use a combination of quote() and trim() (as > blank space at the ends of a string is not important in my > application). So, for each string value I get from the user, I do > something similar to > > set out [format {select * from X where label == quote(trim("%s")) and > id > %d } $myStringValue $compId ] > > (Please ignore the Tcl part if you are not familiar with it.. format > is basically (almost) sprintf in a new name )
Your working far too hard. The sqlite Tcl binding already does all thats needed. This is perfectly safe: set result [db1 eval {select * from X where label = $myStringValue and id > $compId}] But you MUST use {} to quote your query and not "", so sqlite gets to do the substitution (or better said convert things to prepared statements and bind values correctly) and not Tcl. Michael -- Michael Schlenker Software Engineer CONTACT Software GmbH Tel.: +49 (421) 20153-80 Wiener Straße 1-3 Fax: +49 (421) 20153-41 28359 Bremen http://www.contact.de/ E-Mail: m...@contact.de Sitz der Gesellschaft: Bremen Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215 _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users