On 11/4/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> The authorizer is used to protect against SQL injection attaches
> when the SQL text originates from user input. Typically an
> application will turn the authorizer on when preparing user-supplied
> SQL then turn it right back off again so that its own internal
> SQL can run unfiltered. Example:
>
> sqlite3_set_authorizer(db, ignore_passwd_column);
> stmt1 = sqlite3_prepare(db, zSqlFromUser)
> sqlite3_set_authorizer(db, 0);
> stmt2 = sqlite3_prepare(db, zInternalSql);
> sqlite3_step(stmt1); -- Oops! Might try to recompile!
Well, obviously, part of the sqlite3_stmt structure, then, is the
authorizer that is used on that particular statement ;) So change it
so that *if* you decide to do this, sqlite3_stmt also has its
authorizer as well as the original SQL statement.
Better might be to have an alternative data structure (sqlite3_stmt2)
with calls as appropriate.
-austin
--
Austin Ziegler * [EMAIL PROTECTED]
* Alternate: [EMAIL PROTECTED]
