Fredrik Karlsson schrieb:
> Dear list,
>
> Sorry for jumping onto the list mainly to ask a question, but it is an
> imporant one, and I have failed to find the answer on Google.
> I am developing a prototype of an application in Tcl using sqlite as
> the backend database. Now, I know that I will be dealing with quite
> naïve users, who will not think that "!' and simialar characters are
> evil and potentially dangerous in a SQL database context. So, now I
> need to make sure that I am taking all the precautions I can to
> protect the database from evil / naïve users, and since parts of the
> application may be ported to C for speed later, I would prefer as much
> of it to happen in the SQL queries themselves, in order to make sure
> that the behaviour stays constant when porting.
>
> My currrent strategy is to use a combination of quote() and trim() (as
> blank space at the ends of a string is not important in my
> application). So, for each string value I get from the user, I do
> something similar to
>
> set out [format {select * from X where label == quote(trim("%s")) and
> id > %d } $myStringValue $compId ]
>
> (Please ignore the Tcl part if you are not familiar with it.. format
> is basically (almost) sprintf in a new name )
Your working far too hard. The sqlite Tcl binding already does all thats needed.
This is perfectly safe:
set result [db1 eval {select * from X where label = $myStringValue and id >
$compId}]
But you MUST use {} to quote your query and not "", so sqlite gets to do the
substitution (or better said convert things to prepared statements and bind
values correctly) and not Tcl.
Michael
--
Michael Schlenker
Software Engineer
CONTACT Software GmbH Tel.: +49 (421) 20153-80
Wiener Straße 1-3 Fax: +49 (421) 20153-41
28359 Bremen
http://www.contact.de/ E-Mail: m...@contact.de
Sitz der Gesellschaft: Bremen
Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe
Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
