The people who are using your software need a lesson about "SQL injection". No
one should create SQL statements "on the fly" that include literal character
strings built from data. Not only could there be issues if there are special
characters in the data to be included as a literal string (including the
possibility of a syntax error that prevents the statement from being executed)
but evil people could do severe damage -- but this can easily be avoided by
using parameters.
For example, if the value being searched for came from user input (say on a web
page) users of your software must not do things like this --
sql = "select * from mytbl where mycol ='" + input + "'"
because, if the input is something like
x' ; drop table mytbl; --
the table will be dropped! This cannot happen if parameters are used to pass
the string.
You might be better off providing only a method where the user passes strings
for the table name ("mytbl" in the example before), the columns to be returned
(separated by commas, or "*" for all as above), the name of the column to
compare ("mycol" in the example) and the value to search for. It would then be
your code that builds and runs the SQL statement using parameters.
J. Merrill
-----Original Message-----
Date: Wed, 3 Apr 2013 22:41:01 +0900
From: Yongil Jang <yongilj...@gmail.com>
To: General Discussion of SQLite Database <sqlite-users@sqlite.org>
Subject: Re: [sqlite] [Question] How can I recognize arguments are
dynamic binding values in user defined function?
Message-ID:
<cao_0w+hg70q00zzcxn6ojigo_otrng25bbn9n_p+t0xavyq...@mail.gmail.com>
Content-Type: text/plain; charset=EUC-KR
Thank you, Simon and Igor.
I will investigate about your opinion, as you mentioned.
In general, if parameter string contains alphabets only, it doesn't make
any problems.
However, I couldn't check that my function is used correctly for every
applications.
Some developers don't know why does it fails when using special characters
and applications can be packaged with hidden issues.
For this reason, I was looking for some solutions that I can send warning
messages to application developers if they use plain text without binding
arguments.
Best regards,
Yongil jang.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
