How about hitting your injection problem from the other side? Perhaps you
can validate the data that is going in to making up your query.
I don't know what query in particular you are using, but it made me think
and something that cannot work with parameterisation could be something like
the following:
col = "my_col";
sql = sqlite3_vmprintf("select %s from table", col);
(I have used something similar myself.)
This would be susceptible to injection, for example changing "col" to
"hidden_col from hidden_table;" which would produce an sql string as
follows...
"select hidden_col from hidden_table; from table"
This would parse correctly through sqlite3_prepare and provide access to
hidden information. The part after the ';' will not be parsed and will not
cause an error.
However, we can use pzTail that is returned from sqlite3_prepare to check
for this, as in the following code:
const char* pzTail = 0;
sqlite3_prepare_v2(db, sql, -1, &stmt, &pzTail);
if (pzTail && *pzTail) printf("Injection attempted!!!");
If pzTail points to a non-null string (i.e. pzTail[0]!=0) then an injection
of the style detailed above has been attempted.
It almost certainly won't catch everything, but it might serve as a starting
point for you in trying to block such attempts.
Andy
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
