See if this satisifies your needs...a complete example showing parameterized statements fixing the problem...
http://codesnippets.joyent.com/posts/show/2384 Michael D. Black Senior Scientist Advanced Analytics Directorate Advanced GEOINT Solutions Operating Unit Northrop Grumman Information Systems ________________________________ From: sqlite-users-boun...@sqlite.org [sqlite-users-boun...@sqlite.org] on behalf of Gert Corthout [gert_corth...@hotmail.com] Sent: Thursday, October 20, 2011 3:21 AM To: sqlite-users@sqlite.org Subject: EXT :[sqlite] string conatenated sql statements hello, I am looking at the data layer of my company's software and noticed we build our queries with string concatenation (including user input). As a former Oracle and SqlServer developer this sends shivers down my spine. I am trying to convince management to get a budget for a switch to parametrized queries. My argument so far is that parametrized queries are way faster if used properly. The next obvious argument is sql injection. On all string input a simple conversion is done: any ' is replaced by '', that's it. This seems to block off any sql injection right there as the escape character \ doesn't work in sqlite. So my question is, is there any way to perform a sqlinjection attack? Alternatively can I make sql statements fail by including funky characters or character combinations? thanks in advance, Gert _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
