Re: [sqlite] FTS3 bug

Sat, 15 Jan 2011 04:17:11 -0800 

Hi Phil,

I am binding the values, not just concatenating them into the query or
manually escaping them. So that's why I believe there's a bug in FTS3.
I'm binding the value, but still it fails depending on the value of
the variable.

In Python it's:
cursor.execute('SELECT * FROM MyTable WHERE MyTable MATCH ?', ('"""',))
(binding the string """  [3 x "] to ?)

In Android it's:
cursor = db.rawQuery("SELECT * FROM MyTable WHERE MyTable MATCH ?",
new String[]{"\"\"\""});
(binding the string """  [3 x "] to ?)

But you are probably correct in that trying to sanitize user input
isn't where I want to go. Instead I will catch the exception and
ignore the error.

Cheers,
 Jonas

On Sat, Jan 15, 2011 at 12:20 PM, Philip Graham Willoughby
<phil.willoug...@strawberrycat.com> wrote:
> On 15 Jan 2011, at 01:18, Jonas Bengtsson wrote:
>
>> 2) Any suggestions as to how to sanitize the user's input to avoid
>> this problem? This is just the one I've found, but I'm assuming there
>> are more.
>
> Don't try and sanitize the user's input - you will never be able to prove you 
> have accounted for everything. The correct way to do this is to stop giving 
> the user's input to sqlite in your query string. Instead you should use 
> symbolic literals to which you bind the values the user has input. If your 
> language's sqlite wrapper doesn't support binding values then report that 
> omission as a bug to the providers of that library.
>
> See sqlite3_bind_* on this page http://www.sqlite.org/c3ref/funclist.html for 
> the C interface.
>
> Best Regards,
>
> Phil Willoughby
> --
> Managing Director, StrawberryCat Limited
>
> StrawberryCat Limited is registered in England and Wales with Company No. 
> 7234809.
>
> The registered office address of StrawberryCat Limited is:
>
> 107 Morgan Le Fay Drive
> Eastleigh
> SO53 4JH
>
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to