-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/03/12 22:57, Steinar Midtskogen wrote: > I'm planning to allow users to make database queries through a web > page. I'm thinking of letting the user provide the string that goes > between SELECT and FROM using the sqlite3 command tool, but what kind > of input checking is then needed?
Use the authorizer: http://www.sqlite.org/c3ref/set_authorizer.html Use limits to constrain possibilities: http://www.sqlite.org/c3ref/limit.html Call interrupt from a second thread to prevent runaway queries: http://www.sqlite.org/c3ref/interrupt.html > I need to check that the input ... That approach requires you to have perfect code and not get outwitted. If I was an attacker I'd be trying hex constants and unicode tricks. Roger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk9sKekACgkQmOOfHg372QTPfwCeK+axzhcmDtRrP+Lcd4R3EoWj vhIAn1ed/MzltUXrpJmoY1MYMehqLDpl =p6sE -----END PGP SIGNATURE----- _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users