dave lilley wrote:
> Sorry for posting twice but...
>
> how does the method you have given me differ to mine?
>
> eg lets say this is the scenario....
>
> uservar = "delete * from customers where * = *"
>
>
>>> e.g. stmt = "select * from customers where cust_no = #{uservar}"
>>> row = db.execute(stmt)
>>>
>
> Now i could understand how my code could possibly allow the records in the
> table to be deleted but what's the difference to the code you gave me?
>
> stmt = "select * from customers where cust_no = ?"
>
> row = db.execute(stmt, uservar)
>
>
> Also I've just notice that you've used the variable as a parameter where in
> my 1st reply I didn't have it - my failure to really look at the code.
>
require 'sqlite3'
db = SQLite3::Database.new(':memory:')
db.execute_batch(<<eof)
begin transaction;
create table foo (
foo_oid integer primary key autoincrement,
bar varchar
);
insert into foo values (null, 'wibble')
eof
db.execute2('select * from foo where foo_oid=?', 1) do |line|
p line
end
["foo_oid", "bar"]
["1", "wibble"]
injection = '4;delete from foo'
db.execute_batch('select * from foo where foo_oid=?', injection)
db.execute2('select * from foo where foo_oid=?', 1) do |line|
p line
end
["foo_oid", "bar"]
["1", "wibble"]
db.execute_batch("select * from foo where foo_oid=#{injection}")
db.execute2('select * from foo where foo_oid=?', 1) do |line|
p line
end
["foo_oid", "bar"]
The difference is that by using this form...
db.execute(sql,bind_arg_1,bind_arg_2,bind_arg_n)
...you are internally using sqlite3_bind_xxx. See
http://www.sqlite.org/c3ref/funclist.html and check the sqlite3_bind_xxx
documentation for more details.
John
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
