Thanks for the quick response Simon. Happy holidays.
On Fri, Dec 31, 2010 at 8:25 PM, Simon Slavin <[email protected]> wrote: > > On 1 Jan 2011, at 12:35am, Jeffrey Walton wrote: > >> I'm using SQLite on embedded devices (iPhone and, SmartPhone, and >> PocketPC). Ichecked OWASP, and they don't have anything for SQLite or >> C/C++. http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. >> >> Does the SQLite API offer the ability to create a 'command object'. Or >> a call to sanitize user input (which would probably include escaping >> special characters)? > > Yep. sqlite3_prepare() creates a compiled SQL statement, which is more or > less what you mean by 'command object'. It's not possible to inject if > you're using sqlite3_prepare(): it will execute only a single instruction and > syntax characters in parameters are interpreted as if they're part of the > parameter, not part of the command. > > If you're using sqlite3_exec() then you have bigger problems. You can, of > course, screen your input string for semi-colons. You can check that INSERT, > UPDATE and DELETE are followed only by your desired table names. You can > screen the first two words of each SQL command. Further precautions vary > depending on what you know is a legitimate use in your particular application. > > So I recommend that if you're nervous about injection, you use the prepare > sequence: > > <http://www.sqlite.org/c3ref/stmt.html> > > In the case of the iPhone you other special security measures acting in your > favour. For instance, it's impossible to use one application to get at the > data belonging to other applications. Other operating systems have their own > measures. > > Simon. _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
