Hello! On Friday 27 February 2009 18:08:19 you wrote: > [string map {\; "" \[ "" \] "" $user_id] > > you can get rid of most threats, right?
We can do set param {test' sql with some injection} puts $param set param [db onecolumn {select quote($param)}] puts $param and get result test' sql with some injection 'test'' sql with some injection' Well, it's good. And now query db eval "create view view_events as select * from events where value!=$param" is valid. But how about construction such as db eval {create view view_events as select * from events where value!=#param} were #param wiil be automatically replaced by result of {select quote($param)}? Best regards. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users