Dominique Devienne wrote:
>> On Fri, Mar 7, 2014 at 6:39 PM, Clemens Ladisch <clem...@ladisch.de> wrote:
>>> SELECT register_simple_function('rpad', 2, 'SELECT printf(''%-*s'', ?, ?)');
>
> But doesn't the above assume you can bind values inside the select
> clause? I thought one couldn't...Binding values is allowed everywhere where you have an expression. "SELECT ?" is fine, just as "SELECT 42" is fine (but useless in most circumstances). In pratice, the select clause usually contains column names, which is what can trip up beginners that try to use parameters for them. > Of course, during inner query preparation, one can verify the > expression returns a single scalar value, and at execution time, that > it returns a single row (it can't I think, but I'm not experienced in > SQL injection techniques, so I'd assert it myself ;) You could easily put "UNION" or "FROM BigTable" in there. And even such queries can end up returning exactly one value, so I wouldn't want to forbid them. Regards, Clemens _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
