On May 19, 2010, at 12:46, seandakid wrote:
> Thanks for the quick reply Dustin. That was my concern as well.. it might
> create more issues than it will solve.
>
> One of the devs suggested this code example:
>
> int makeSQLtight(const TCHAR* update);
I'm all for developer laziness, but holistically. Doing lots of work
to asymptotically approach "safe" with the effect of encouraging unsafe
practices.
This conversation came up a few times on reddit a month or so ago.
People brought up things like mysql_real_escape (that is, something
(unfortunately) widely used and allegedly well-tested). Rather than stopping
at assuming it was wrong, I just did a google search for exploits within it.
There were lots. It's not worth it.
If you do things right, bad results become impossible. If you do
things wrong, you'll never get to a solution, regardless of how quick it
appears. :)
--
Dustin Sallings
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
