Hi all,
Scott Baker wrote:
> As mentioned above the BEST way to do it is with prepared statement
> and bound variables. If you have to use raw SQL then just use the
> PDO::quote method:
>
> http://php.web-ster.com/manual/en/pdo.quote.php
>
> $conn = new PDO('sqlite:/home/lynn/music.sql3'); $string = 'Nice';
> print "Quoted string: " . $conn->quote($string) . "\n";
>
> I'm open to discussion about whether or not this is this is still
> vulnerable to SQL injection.
>
The article Jay Kreibich linked to demonstrates a bug in MySQL's C API
that was fixed, and I suppose the fix was automatically reflected back
in PHP's MySQL extension when it was updated. SQLite's C API has no such
escaping function, so it depends on what PHP's SQLite PDO driver does to
implement the quoting.
I certainly hope that it is not vulnerable to SQL injection: if it is,
how do we handle the fact that we cannot bind a list of values to a
single parameter, and thus have to manually build the SQL statement if
we want to use IN ('x', 'y', 'z', ...), where the length and content of
the list is determined by the user? At the moment I would simply apply
PDO::quote to x, y, z (and the rest) individually.
Regards,
Eugene Wee
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
