Many thanks John so if i take that example and push it out so i can have 1
method that can return a SQL select statement on any table, field and search
criteria i would only need to do this?
In ruby it would be ....
make_SQL (table, field, criteria)
stmt = "select * from #{table} where #{field} = #{criteria}"
row = db.execute(stmt)
end
and SQLite3 way would be ...
make_SQL(table,field,criteria)
stmt = "select * from ? where ? = ?"
row = db.execute(stmt)
end
would this presumtion be correct?
thanks.
2009/6/15 John Elrick <john.elr...@fenestra.com>
> dave lilley wrote:
> > I am using sqlite3 with ruby and hope I'm not out of place here in ask
> for
> > some help on how to stop or reduce injection threats via sql statements
> made
> > by a user be it accidental or deliberate.
> >
> > I want to build a select query from user entered data and then return
> rows
> > that match.
> >
> > e.g. stmt = "select * from customers where cust_no = #{uservar}"
> >
> > row = db.execute(stmt)
> >
>
>
> stmt = "select * from customers where cust_no = ?"
>
> row = db.execute(stmt, uservar)
>
>
> HTH
>
>
> John
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
