Hello Alexey,
uh, yes, that is true. But preprocessing the value of
user_id, etc. should insulate you from that sort of things, right?
Unfortunately, the Tclers' Wiki does not give a ready solution for
that. But with
[string map {\; "" \[ "" \] "" $user_id]
you can get rid of most threats, right?
Regards,
Arjen
On 2009-02-27 16:01, Alexey Pechnikov wrote:
> Hello!
>
> On Friday 27 February 2009 17:32:36 Arjen Markus wrote:
>> This is the Tcl binding, right?
>> You could replace the variable by its value using [string map]:
>>
>> db eval [string map [list USER_ID $user_id ...] $sql_statement]
>>
>> or more directly:
>>
>> db eval \
>> "CREATE TABLE view_report_01 AS ...
>> WHERE u.id = $user_id
>> ..."
>>
>
> With SQL injection security problems as result. It's not a good decision.
>
>
> Best regards.
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Delft Hydraulics, GeoDelft, the Subsurface and Groundwater unit of TNO and
parts of Rijkswaterstaat have joined forces in a new independent institute for
delta technology, Deltares. Deltares combines knowledge and experience in the
field of water, soil and the subsurface. We provide innovative solutions to
make living in deltas, coastal areas and river basins safe, clean and
sustainable.
DISCLAIMER: This message is intended exclusively for the addressee(s) and may
contain confidential and privileged information. If you are not the intended
recipient please notify the sender immediately and destroy this message.
Unauthorized use, disclosure or copying of this message is strictly prohibited.
The foundation 'Stichting Deltares', which has its seat at Delft, The
Netherlands, Commercial Registration Number 41146461, is not liable in any way
whatsoever for consequences and/or damages resulting from the improper,
incomplete and untimely dispatch, receipt and/or content of this e-mail.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
