Yeah -- I should've been in a better teaching mode.... Trying to keep things simple opens up these type of security problems....though there are lots of situations where this works just fine and is no problem at all (e.g. when you don't have user input or it's completely under your own control like a learning program).
It's good to get in the habit of not doing it the simple and possibly insecure way. Michael D. Black Senior Scientist Advanced Analytics Directorate Advanced GEOINT Solutions Operating Unit Northrop Grumman Information Systems ________________________________________ From: sqlite-users-boun...@sqlite.org [sqlite-users-boun...@sqlite.org] on behalf of Richard Hipp Bad idea. See SQL Injection Attack<http://en.wikipedia.org/wiki/SQL_injection>for a detailed explanation of why this is so bad. A far better approach is to use query parameters with sqlite3_bind_xxxx(). Or, failing that, to use sqlite3_mprintf() with the %q or %Q substitutions. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users