Re: [sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread Keith Medcalf
> I’m curious about binding as an idea. I never used SQLite 1 or 2. Was > binding originally done to avoid security vulnerability or was that just > the result of implementing it for some other reason ? If you are talking about things other than SQLite (which is very new to the scene as

Re: [sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread Richard Hipp
On 4/23/17, Simon Slavin wrote: > I’m curious about binding as an idea. I never used SQLite 1 or 2. Was > binding originally done to avoid security vulnerability or was that just the > result of implementing it for some other reason ? Binding was added to make the TCL

Re: [sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread Simon Slavin
I’m curious about binding as an idea. I never used SQLite 1 or 2. Was binding originally done to avoid security vulnerability or was that just the result of implementing it for some other reason ? Looking at the work I did on other languages which use English-like commands I never used

Re: [sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread Richard Hipp
Recall that SQLite was original created as a Tcl (https://www.tcl.tk/) extension. Using TCL, the first example reported in the article would be coded like this: set result [db eval {SELECT count(*) FROM users WHERE userid=$_POST(newid)}] With the TCL interface to SQLite, the code above is

Re: [sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread J. King
On April 23, 2017 4:31:42 PM EDT, Simon Slavin wrote: >There’s been almost no traffic on this list this weekend so I don’t >feel too bad posting something that’s not specifically about SQLite. >But a lot of us use SQLite as a back end for web-facing databases, >called from

[sqlite] Security vulnerabilities prevalent in web tutorials for PHP, javascript, etc..

2017-04-23 Thread Simon Slavin
There’s been almost no traffic on this list this weekend so I don’t feel too bad posting something that’s not specifically about SQLite. But a lot of us use SQLite as a back end for web-facing databases, called from PHP, and this is about PHP tutorials found on the web. ObAcronym: "SQLi" is

Re: [sqlite] Difference between localtime and utc is 8 hours, but should be 4

2017-04-23 Thread Chris Waters
As Stephen observed when replying to your query, time math is fraught with problems. So I think it will be nothing to do with SQLite per se. I'm guessing it will be in the time offset specification you have entered somewhere, for your environment. You are in what is termed time zone utc -4.

Re: [sqlite] SQLITE_OMIT_* vs amalgamation

2017-04-23 Thread Kim Gräsman
On Wed, Apr 19, 2017 at 1:18 PM, Richard Hipp wrote: > On 4/19/17, Kim Gräsman wrote: >> I'm building for both Windows and Linux and it's a reproducible build, >> so I'd rather not depend on anything extra. > > The only thing extra you need is tclsh