Hi all, Scott Baker wrote: > As mentioned above the BEST way to do it is with prepared statement > and bound variables. If you have to use raw SQL then just use the > PDO::quote method: > > http://php.web-ster.com/manual/en/pdo.quote.php > > $conn = new PDO('sqlite:/home/lynn/music.sql3'); $string = 'Nice'; > print "Quoted string: " . $conn->quote($string) . "\n"; > > I'm open to discussion about whether or not this is this is still > vulnerable to SQL injection. >
The article Jay Kreibich linked to demonstrates a bug in MySQL's C API that was fixed, and I suppose the fix was automatically reflected back in PHP's MySQL extension when it was updated. SQLite's C API has no such escaping function, so it depends on what PHP's SQLite PDO driver does to implement the quoting. I certainly hope that it is not vulnerable to SQL injection: if it is, how do we handle the fact that we cannot bind a list of values to a single parameter, and thus have to manually build the SQL statement if we want to use IN ('x', 'y', 'z', ...), where the length and content of the list is determined by the user? At the moment I would simply apply PDO::quote to x, y, z (and the rest) individually. Regards, Eugene Wee _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users