On 20 Oct 2011, at 1:55pm, Gert Corthout wrote: > I can see only 1 very long-shot security issue. Assuming I am a malafide > programmer at our company I could add ESCAPE ']' to a vital query that takes > user input and then use ]' to break out and inject some SQL in the live > system, right?
That is not a problem in SQLite itself. Your own software might be written in such a way as to handle an escape character in a strange way, but as far as SQLite is concerned it's just another character. However, a rogue programmer at your company could build anything they want into your system, unless it requires the use of a paranoid API which checks everything for plausibility. The only place I've worked in that did that was a bank. The one thing to watch out for in SQLite is the semi-colon character if you ever use _exec() instead of _prepare(). Exec will happily execute any number of SQL commands separated by semi-colons. In one of my programming libraries, the one routine I have that has to call _exec() scans its parameter for the semi-colon character by default. It requires another parameter to be set to allow execution of anything with semi-colons in. I set that this only if the command has to handle an arbitrary text parameter that might have a semi-colon in, which is rare since they don't occur in things like names, phone numbers, addresses or email addresses. This is not a problem if you always use _prepare(), since that cannot be tricked by a semi-colon into processing a second command. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
