http://xkcd.com/327/ --- () ascii ribbon campaign against html e-mail /\ www.asciiribbon.org
> -----Original Message----- > From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users- > boun...@sqlite.org] On Behalf Of j.merr...@enlyton.com > Sent: Wednesday, 03 April, 2013 17:17 > To: sqlite-users@sqlite.org > Subject: Re: [sqlite] [Question] How can I recognize arguments are dynamic > binding values in user defined function? > > > The people who are using your software need a lesson about "SQL > injection". No one should create SQL statements "on the fly" that include > literal character strings built from data. Not only could there be issues > if there are special characters in the data to be included as a literal > string (including the possibility of a syntax error that prevents the > statement from being executed) but evil people could do severe damage -- > but this can easily be avoided by using parameters. > > For example, if the value being searched for came from user input (say on > a web page) users of your software must not do things like this -- > > sql = "select * from mytbl where mycol ='" + input + "'" > > because, if the input is something like > > x' ; drop table mytbl; -- > > the table will be dropped! This cannot happen if parameters are used to > pass the string. > > You might be better off providing only a method where the user passes > strings for the table name ("mytbl" in the example before), the columns to > be returned (separated by commas, or "*" for all as above), the name of > the column to compare ("mycol" in the example) and the value to search > for. It would then be your code that builds and runs the SQL statement > using parameters. > > J. Merrill > > -----Original Message----- > Date: Wed, 3 Apr 2013 22:41:01 +0900 > > From: Yongil Jang <yongilj...@gmail.com> > To: General Discussion of SQLite Database <sqlite-users@sqlite.org> > Subject: Re: [sqlite] [Question] How can I recognize arguments are > dynamic binding values in user defined function? > Message-ID: > <cao_0w+hg70q00zzcxn6ojigo_otrng25bbn9n_p+t0xavyq...@mail.gmail.com> > Content-Type: text/plain; charset=EUC-KR > > Thank you, Simon and Igor. > > I will investigate about your opinion, as you mentioned. > > In general, if parameter string contains alphabets only, it doesn't make > any problems. > > However, I couldn't check that my function is used correctly for every > applications. > Some developers don't know why does it fails when using special characters > and applications can be packaged with hidden issues. > > For this reason, I was looking for some solutions that I can send warning > messages to application developers if they use plain text without binding > arguments. > > Best regards, > Yongil jang. > > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
