hello,
I am looking at the data layer of my company's software and noticed we build
our queries with string concatenation (including user input). As a former
Oracle and SqlServer developer this sends shivers down my spine. I am trying to
convince management to get a budget for a switch to parametrized queries.
My argument so far is that parametrized queries are way faster if used properly.
The next obvious argument is sql injection. On all string input a simple
conversion is done: any ' is replaced by '', that's it. This seems to block off
any sql injection right there as the escape character \ doesn't work in sqlite.
So my question is, is there any way to perform a sqlinjection attack?
Alternatively can I make sql statements fail by including funky characters or
character combinations?
thanks in advance,
Gert
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
