[sqlite] SQLite file Validation
Hi all, Total noob question for you guys: Background: I have a project where there are many components touching different SQLite dbs. Devs were told to make sure they are validating their sql statements, but as I have seen in the code, few of them have. On some components they have used the BIND statement, which will help. We are dealing with media file inputs mostly on this project, so people might have files named Michael Jackson; Beat it; Thriller or something like that. My concern is possible sql injections throughout the different code. We are on a tight deadline and we are unable to get back and recode a bunch of components. Question: Do you think that instead of getting them go back throughout their code, it is feasible to create a function that just eliminates the ; and replaces it with a ,? And if so, any suggested code? Thanks so much for your time. -Steve -- View this message in context: http://old.nabble.com/SQLite-file-Validation-tp28612927p28612927.html Sent from the SQLite mailing list archive at Nabble.com. ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] SQLite file Validation
Thanks for the quick reply Dustin. That was my concern as well.. it might create more issues than it will solve. One of the devs suggested this code example: int makeSQLtight(const TCHAR* update); S Dustin Sallings wrote: On May 19, 2010, at 12:24, seandakid wrote: Question: Do you think that instead of getting them go back throughout their code, it is feasible to create a function that just eliminates the ; and replaces it with a ,? And if so, any suggested code? On one hand, you have something that is safer and more efficient (probably tons faster depending on your app since you'd be able to reuse statements). On the other, you have something that will increase your technical debt and give you more places to hide bugs (with false hope that you can figure out the difference between code and data magically in a new layer). -- Dustin Sallings ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users -- View this message in context: http://old.nabble.com/SQLite-file-Validation-tp28612927p28613149.html Sent from the SQLite mailing list archive at Nabble.com. ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users