On Sat, 18 Jul 2009 10:17:14 -0700, Kelly Jones wrote: > On a website, I want to take a user's query "as is", save it to a > userquery.txt, and then do: > > sqlite3 /path/to/mydb < userquery.txt > > where /path/to/mydb is a *read-only* file. > > Is there *any* risk of an injection attack here?
Yes. Massively. You need to read up on the fundamentals of SQL injection, and use a proper API for accessing the DB that allows you to use bind variables. ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
