On 11/4/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > The authorizer is used to protect against SQL injection attaches > when the SQL text originates from user input. Typically an > application will turn the authorizer on when preparing user-supplied > SQL then turn it right back off again so that its own internal > SQL can run unfiltered. Example: > > sqlite3_set_authorizer(db, ignore_passwd_column); > stmt1 = sqlite3_prepare(db, zSqlFromUser) > sqlite3_set_authorizer(db, 0); > stmt2 = sqlite3_prepare(db, zInternalSql); > sqlite3_step(stmt1); -- Oops! Might try to recompile!
Well, obviously, part of the sqlite3_stmt structure, then, is the authorizer that is used on that particular statement ;) So change it so that *if* you decide to do this, sqlite3_stmt also has its authorizer as well as the original SQL statement. Better might be to have an alternative data structure (sqlite3_stmt2) with calls as appropriate. -austin -- Austin Ziegler * [EMAIL PROTECTED] * Alternate: [EMAIL PROTECTED]