See if this satisifies your needs...a complete example showing parameterized statements fixing the problem...
http://codesnippets.joyent.com/posts/show/2384 Michael D. Black Senior Scientist Advanced Analytics Directorate Advanced GEOINT Solutions Operating Unit Northrop Grumman Information Systems ________________________________ From: [email protected] [[email protected]] on behalf of Gert Corthout [[email protected]] Sent: Thursday, October 20, 2011 3:21 AM To: [email protected] Subject: EXT :[sqlite] string conatenated sql statements hello, I am looking at the data layer of my company's software and noticed we build our queries with string concatenation (including user input). As a former Oracle and SqlServer developer this sends shivers down my spine. I am trying to convince management to get a budget for a switch to parametrized queries. My argument so far is that parametrized queries are way faster if used properly. The next obvious argument is sql injection. On all string input a simple conversion is done: any ' is replaced by '', that's it. This seems to block off any sql injection right there as the escape character \ doesn't work in sqlite. So my question is, is there any way to perform a sqlinjection attack? Alternatively can I make sql statements fail by including funky characters or character combinations? thanks in advance, Gert _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
