As drh indicated, you're already doing what any quote() function would
be doing, so it sounds like you're safe.
My general tendency is to assume that anytime I implement something in
parallel to another implementation, no matter how trivially obviously
identical the implementations are, at some point I'm going to pay a
price (usually because something gets added to the original
implementation and I don't realize I need to change my parallel
implementation). This may-or-may-not be an appropriate amount of
paranoia for any particular project :-).
-scott
On 10/5/07, Andy Goth <[EMAIL PROTECTED]> wrote:
> On Fri, 5 Oct 2007 09:41:27 -0700, Scott Hess wrote
> > On 10/5/07, Andy Goth <[EMAIL PROTECTED]> wrote:
> > > proc sql_expand {varname} {
> > > upvar 1 $varname var
> > > set result [list]
> > > foreach elem $var {
> > > lappend result '[string map {' ''} $elem]'
> > > }
> > > return [join $result ,]
> > > }
> >
> > You really should be using an SQLite-specific quote function
> > somewhere.
>
> I didn't know SQLite provided one. It normally doesn't need one, thanks to
> its internal expansion of Tcl variables. Oh wait, it has quote(), but this
> would not work for me because (by design!) its result is formatted in such a
> way that SQLite interprets it as a single value, *not* a list. Or I could
> invoke it repeatedly, once per element.
>
> But after all that overhead I imagine I would be better off using Tcl to
> expand my data into multiple variables; at least that way all bytecoding gets
> cached and I'm guaranteed to be immune to injection.
>
> > You could work around it by doing something like [db eval {select
> > quote($arg)}], but that feels clunky.
>
> I'm pretty sure I know how SQLite will perform quote()'ing, and I can
> implement it in pure Tcl easily enough, so I might as well leave it in Tcl.
> Tcl should be able to bytecode string manipulation better than SQLite; string
> manipulation is Tcl's raison d'ĂȘtre.
>
> But maybe I'm wrong about how quote() works. Can somebody confirm? In my
> mind, quote($x) is equivalent to '[string map {' ''} $x]' .
>
> > The quoting you're using will work fine for many cases, but are
> > subject to SQL injection attack.
>
> Could you please provide an example?
>
> --
> Andy Goth
> <[EMAIL PROTECTED]>
>
>
> -----------------------------------------------------------------------------
> To unsubscribe, send email to [EMAIL PROTECTED]
> -----------------------------------------------------------------------------
>
>
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
