Re: sqlite help needed with my proc....
- From: Bryan Oakley <oakley@xxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 25 Jun 2007 16:22:52 -0500
Mel wrote:
On Jun 24, 11:09 am, Darren New <d...@xxxxxxxxxx> wrote:Melwrote:>>>|delete from departments<<<Along with all the other advice, be aware that this sort of thing can
near "'s automotive)": syntax error
lead to what's called an "SQL injection attack". You prompt the user for
a business name to look up, and they type in
Al's automotive
and get that error back. So they type in
Al';delete from departments;
and you're hosed.
--
Darren New / San Diego, CA, USA (PST)
I bet exercise equipment would be a lot more
expensive if we had evolved from starfish.
so how should i avoid getting hosed ? Can you please put me on the
right path ?
I think the answer is, "use sqlite" (which you're doing, right?) If you use sqlite's ability to expand tcl variable names you don't have to worry about injections so much since the whole of your data gets stored in the column rather than being treated as an sql string.
--
Bryan Oakley
http://www.tclscripting.com
.
- References:
- sqlite help needed with my proc....
- From: Mel
- Re: sqlite help needed with my proc....
- From: Darren New
- Re: sqlite help needed with my proc....
- From: Mel
- sqlite help needed with my proc....
- Prev by Date: Re: Need a regex to escape all escapable characters in a string
- Next by Date: Re: Need a regex to escape all escapable characters in a string
- Previous by thread: Re: sqlite help needed with my proc....
- Next by thread: How to compile this simple tcltest.c?
- Index(es):
Relevant Pages
|
