Dear list, Sorry for jumping onto the list mainly to ask a question, but it is an imporant one, and I have failed to find the answer on Google. I am developing a prototype of an application in Tcl using sqlite as the backend database. Now, I know that I will be dealing with quite naïve users, who will not think that "!' and simialar characters are evil and potentially dangerous in a SQL database context. So, now I need to make sure that I am taking all the precautions I can to protect the database from evil / naïve users, and since parts of the application may be ported to C for speed later, I would prefer as much of it to happen in the SQL queries themselves, in order to make sure that the behaviour stays constant when porting.
My currrent strategy is to use a combination of quote() and trim() (as blank space at the ends of a string is not important in my application). So, for each string value I get from the user, I do something similar to set out [format {select * from X where label == quote(trim("%s")) and id > %d } $myStringValue $compId ] (Please ignore the Tcl part if you are not familiar with it.. format is basically (almost) sprintf in a new name ) So, my questions are now: 1) Can I feel safe that the string value is now "safe" (to some degree) regarding SQL injection? 2) Have I done something that will prevent me from matching values I really want to match by altering the original string value? 3) Is the integer value reasonably secure, or shouls something be done for that too (and then, what?) Sorry for these questions, but I would rather dot all the i:s before moving on in the application development. I have seen before how creative naïve users can be when it comes to making applications crash due to unforseen actions. :-) Of course, any input in this would be greatly appreciated. /Fredrik -- "Life is like a trumpet - if you don't put anything into it, you don't get anything out of it." _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users