On 1 Jan 2011, at 12:35am, Jeffrey Walton wrote: > I'm using SQLite on embedded devices (iPhone and, SmartPhone, and > PocketPC). Ichecked OWASP, and they don't have anything for SQLite or > C/C++. http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. > > Does the SQLite API offer the ability to create a 'command object'. Or > a call to sanitize user input (which would probably include escaping > special characters)?
Yep. sqlite3_prepare() creates a compiled SQL statement, which is more or less what you mean by 'command object'. It's not possible to inject if you're using sqlite3_prepare(): it will execute only a single instruction and syntax characters in parameters are interpreted as if they're part of the parameter, not part of the command. If you're using sqlite3_exec() then you have bigger problems. You can, of course, screen your input string for semi-colons. You can check that INSERT, UPDATE and DELETE are followed only by your desired table names. You can screen the first two words of each SQL command. Further precautions vary depending on what you know is a legitimate use in your particular application. So I recommend that if you're nervous about injection, you use the prepare sequence: <http://www.sqlite.org/c3ref/stmt.html> In the case of the iPhone you other special security measures acting in your favour. For instance, it's impossible to use one application to get at the data belonging to other applications. Other operating systems have their own measures. Simon. _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
