So it becomes the responsibility of the application to acknowledge when binding is allowed or not. Got it. Clear now. Thanks.
I was thinking small in this case. My own app, I know what's being fed, I already bind most things, but I absolutely can see the use of this. Time to see if I can add this particular function to my wrapper... .. one of these days. On Wed, Apr 17, 2019 at 2:22 PM Simon Slavin <slav...@bigfraud.org> wrote: > On 17 Apr 2019, at 6:37pm, Stephen Chrzanowski <pontia...@gmail.com> > wrote: > > > What measures the trustworthiness? At what point would the running > > application be notified that the statement was bound or injection avenue? > > You can include parameters as text in your SQL command: > > UPDATE invoices SET toBePaid="1.23" WHERE customerId="7524" > > If someone is attacking your server using SQL injection on a whole > statement, that's what they'd do. And sqlite3_value_frombind() would > return FALSE. Of course, to detect this the application does need to call > sqlite3_value_frombind() on each parameter it cares about. > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
