hello,
 
I am looking at the data layer of my company's software and noticed we build 
our queries with string concatenation (including user input). As a former 
Oracle and SqlServer developer this sends shivers down my spine. I am trying to 
convince management to get a budget for a switch to parametrized queries.
 
My argument so far is that parametrized queries are way faster if used properly.
The next obvious argument is sql injection. On all string input a simple 
conversion is done: any ' is replaced by '', that's it. This seems to block off 
any sql injection right there as the escape character \ doesn't work in sqlite.
 
So my question is, is there any way to perform a sqlinjection attack?
Alternatively can I make sql statements fail by including funky characters or 
character combinations?
 
thanks in advance,
Gert                                      
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to