On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski <[email protected]> wrote:
> What measures the trustworthiness? At what point would the running
> application be notified that the statement was bound or injection avenue?
You can include parameters as text in your SQL command:
UPDATE invoices SET toBePaid="1.23" WHERE customerId="7524"
If someone is attacking your server using SQL injection on a whole statement,
that's what they'd do. And sqlite3_value_frombind() would return FALSE. Of
course, to detect this the application does need to call
sqlite3_value_frombind() on each parameter it cares about.
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
