Dear list,
Sorry for jumping onto the list mainly to ask a question, but it is an
imporant one, and I have failed to find the answer on Google.
I am developing a prototype of an application in Tcl using sqlite as
the backend database. Now, I know that I will be dealing with quite
naïve users,
Does Tcl supports binding of parameters to prepared statement?
If yes then do just that and you will not need to do any quotes and
think of any ifs.
Pavel
On Thu, Jul 16, 2009 at 3:49 AM, Fredrik Karlssondargo...@gmail.com wrote:
Dear list,
Sorry for jumping onto the list mainly to ask a
Fredrik Karlsson schrieb:
Dear list,
Sorry for jumping onto the list mainly to ask a question, but it is an
imporant one, and I have failed to find the answer on Google.
I am developing a prototype of an application in Tcl using sqlite as
the backend database. Now, I know that I will be
On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenkerm...@contact.de wrote:
Your working far too hard. The sqlite Tcl binding already does all thats
needed.
This is perfectly safe:
set result [db1 eval {select * from X where label = $myStringValue and id
$compId}]
But you MUST use {} to
Fredrik Karlsson schrieb:
On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenkerm...@contact.de wrote:
Your working far too hard. The sqlite Tcl binding already does all thats
needed.
This is perfectly safe:
set result [db1 eval {select * from X where label = $myStringValue and id
$compId}]
http://unixwiz.net/techtips/sql-injection.html is a nice introduction to
sql injection attacks. (Learning by example) It also explains why binding
is far superior to trying to invent a set of rules and cleaning the input.
.
On Thu, Jul 16, 2009 at 9:01 AM, Michael Schlenker m...@contact.de
On Thu, Jul 16, 2009 at 4:20 AM, Michael Schlenker m...@contact.de wrote:
This is perfectly safe:
set result [db1 eval {select * from X where label = $myStringValue and id
$compId}]
But you MUST use {} to quote your query and not , so sqlite gets to do
the
substitution (or better said