On 15 Jan 2011, at 01:18, Jonas Bengtsson wrote: > 2) Any suggestions as to how to sanitize the user's input to avoid > this problem? This is just the one I've found, but I'm assuming there > are more.
Don't try and sanitize the user's input - you will never be able to prove you have accounted for everything. The correct way to do this is to stop giving the user's input to sqlite in your query string. Instead you should use symbolic literals to which you bind the values the user has input. If your language's sqlite wrapper doesn't support binding values then report that omission as a bug to the providers of that library. See sqlite3_bind_* on this page http://www.sqlite.org/c3ref/funclist.html for the C interface. Best Regards, Phil Willoughby -- Managing Director, StrawberryCat Limited StrawberryCat Limited is registered in England and Wales with Company No. 7234809. The registered office address of StrawberryCat Limited is: 107 Morgan Le Fay Drive Eastleigh SO53 4JH _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
