Thank you, J. and Keith!
2013/4/4 Keith Medcalf <kmedc...@dessus.com> > > http://xkcd.com/327/ > > --- > () ascii ribbon campaign against html e-mail > /\ www.asciiribbon.org > > > > -----Original Message----- > > From: sqlite-users-boun...@sqlite.org [mailto:sqlite-users- > > boun...@sqlite.org] On Behalf Of j.merr...@enlyton.com > > Sent: Wednesday, 03 April, 2013 17:17 > > To: sqlite-users@sqlite.org > > Subject: Re: [sqlite] [Question] How can I recognize arguments are > dynamic > > binding values in user defined function? > > > > > > The people who are using your software need a lesson about "SQL > > injection". No one should create SQL statements "on the fly" that > include > > literal character strings built from data. Not only could there be > issues > > if there are special characters in the data to be included as a literal > > string (including the possibility of a syntax error that prevents the > > statement from being executed) but evil people could do severe damage -- > > but this can easily be avoided by using parameters. > > > > For example, if the value being searched for came from user input (say on > > a web page) users of your software must not do things like this -- > > > > sql = "select * from mytbl where mycol ='" + input + "'" > > > > because, if the input is something like > > > > x' ; drop table mytbl; -- > > > > the table will be dropped! This cannot happen if parameters are used to > > pass the string. > > > > You might be better off providing only a method where the user passes > > strings for the table name ("mytbl" in the example before), the columns > to > > be returned (separated by commas, or "*" for all as above), the name of > > the column to compare ("mycol" in the example) and the value to search > > for. It would then be your code that builds and runs the SQL statement > > using parameters. > > > > J. Merrill > > > > -----Original Message----- > > Date: Wed, 3 Apr 2013 22:41:01 +0900 > > > > From: Yongil Jang <yongilj...@gmail.com> > > To: General Discussion of SQLite Database <sqlite-users@sqlite.org> > > Subject: Re: [sqlite] [Question] How can I recognize arguments are > > dynamic binding values in user defined function? > > Message-ID: > > <cao_0w+hg70q00zzcxn6ojigo_otrng25bbn9n_p+t0xavyq...@mail.gmail.com> > > Content-Type: text/plain; charset=EUC-KR > > > > Thank you, Simon and Igor. > > > > I will investigate about your opinion, as you mentioned. > > > > In general, if parameter string contains alphabets only, it doesn't make > > any problems. > > > > However, I couldn't check that my function is used correctly for every > > applications. > > Some developers don't know why does it fails when using special > characters > > and applications can be packaged with hidden issues. > > > > For this reason, I was looking for some solutions that I can send warning > > messages to application developers if they use plain text without binding > > arguments. > > > > Best regards, > > Yongil jang. > > > > _______________________________________________ > > sqlite-users mailing list > > sqlite-users@sqlite.org > > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
