Hello!
On Friday 27 February 2009 18:08:19 you wrote:
> [string map {\; "" \[ "" \] "" $user_id]
>
> you can get rid of most threats, right?
We can do
set param {test' sql with some injection}
puts $param
set param [db onecolumn {select quote($param)}]
puts $param
and get result
test' sql with some injection
'test'' sql with some injection'
Well, it's good. And now query
db eval "create view view_events as select * from events where value!=$param"
is valid.
But how about construction such as
db eval {create view view_events as select * from events where value!=#param}
were #param wiil be automatically replaced by result of {select
quote($param)}?
Best regards.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
