Agreed. I would hope that the application (at a higher level) is performing type checks on the input data before attempting any insertion...
On Thu, Apr 29, 2010 at 8:28 AM, Igor Tandetnik <[email protected]> wrote: > Alexey Pechnikov <[email protected]> > wrote: > > Do you want produce SQL-injections security holes? When database > > engine can convert datatypes on demand we may quoting all values from > > web forms and all other external sources. > > Don't build SQL statements on the fly - use parameterized queries to > protect against SQL injections. This also eliminates most concerns about > type mismatches and such. When you bind a value to a parameter, you > explicitly specify the type of that value - you are unlikely to accidentally > pass a string when an int is needed, say (and if you do, it's probably a bug > in your program). > -- > Igor Tandetnik > > > _______________________________________________ > sqlite-users mailing list > [email protected] > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- Paul Rigor Pre-doctoral BIT Fellow and Graduate Student Institute for Genomics and Bioinformatics Donald Bren School of Information and Computer Sciences University of California, Irvine http://www.ics.uci.edu/~prigor _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
