On Sat, Jun 26, 2010 at 11:22 PM, Igor Tandetnik <itandet...@mvps.org>wrote:
> Sam Carleton <scarle...@miltonstreet.com> wrote: > > I have created a little extension function that I would like to load into > my > > Qt program, so I am using the function load_extension, but it always > returns > > false. > > http://sqlite.org/c3ref/enable_load_extension.html > Yea, now that you pointed me to it, I remember running into that before, before I fully grasped the concept and the need:) On the link you provided, it states "and as a means of disabling extension loading while evaluating user-entered SQL". It is my impression that this refers to dealing with SQL injection, correct? Currently I am using SQLite in two different executables: 1. Apache module where I am using the raw C interface and all parameters are always set via binding, so I am 99.9% sure that code is free of any SQL injection. 2. A Qt program where I am using it's abstraction layer. Again I am always using parametrized SQL with binding, but I stepped through their code once or twice and I am not 100% sure they are using the prepair/binding api's of SQLite as compared to simply parsing the strings themselves into one SQL statement. In time, the application is going to support other databases, at that point in time the Apache code will be switched over to use the APR's DBD layer. Question: With relatively common frameworks like the Qt's sql sub system and the apr DBD sub system, am I able to count on that code to use the native prepair/binding functions for parametrized SQL or is it something I need to investigate? Sam _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
