On 26 Nov 2011, at 4:00pm, Jean-Christophe Deschamps wrote:

>> So I make up for it by using an 'exec' which executes only the first 
>> command, and by hashing the command so that tampering with it would make it 
>> fail the hash.
> 
> AFAIK sqlite3_exec will hapilly prepare and run more than one statements in a 
> row.  I use it all the time.

But several APIs offer ones which won't.  For instance

http://www.php.net/manual/en/sqlite3.query.php

will only execute one command.  So even if someone cracks my (fairly secure but 
not paranoid) system and does a 'little Bobby Tables' on me, the second command 
won't be executed.

>> I hadn't known [_exec] removal was even being considered.
> 
> Not by the dev team AFAIK but the idea has been expressed several times that 
> it was an obsolote, useless API we should get rid of.

Arghhhhhh !    I use _prepare for apps which do a lot of processing, but quite 
a lot of my SQLite use is on computers I personally control and in situations 
where _exec is as safe as anything.

Simon.
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to