Dear list,
Sorry for jumping onto the list mainly to ask a question, but it is an
imporant one, and I have failed to find the answer on Google.
I am developing a prototype of an application in Tcl using sqlite as
the backend database. Now, I know that I will be dealing with quite
naïve users, who will not think that "!' and simialar characters are
evil and potentially dangerous in a SQL database context. So, now I
need to make sure that I am taking all the precautions I can to
protect the database from evil / naïve users, and since parts of the
application may be ported to C for speed later, I would prefer as much
of it to happen in the SQL queries themselves, in order to make sure
that the behaviour stays constant when porting.
My currrent strategy is to use a combination of quote() and trim() (as
blank space at the ends of a string is not important in my
application). So, for each string value I get from the user, I do
something similar to
set out [format {select * from X where label == quote(trim("%s")) and
id > %d } $myStringValue $compId ]
(Please ignore the Tcl part if you are not familiar with it.. format
is basically (almost) sprintf in a new name )
So, my questions are now:
1) Can I feel safe that the string value is now "safe" (to some
degree) regarding SQL injection?
2) Have I done something that will prevent me from matching values I
really want to match by altering the original string value?
3) Is the integer value reasonably secure, or shouls something be done
for that too (and then, what?)
Sorry for these questions, but I would rather dot all the i:s before
moving on in the application development. I have seen before how
creative naïve users can be when it comes to making applications crash
due to unforseen actions. :-)
Of course, any input in this would be greatly appreciated.
/Fredrik
--
"Life is like a trumpet - if you don't put anything into it, you don't
get anything out of it."
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
