http://unixwiz.net/techtips/sql-injection.html is a nice introduction to
sql injection attacks. (Learning by example) It also explains why binding
is far superior to trying to invent a set of rules and cleaning the input.
.
On Thu, Jul 16, 2009 at 9:01 AM, Michael Schlenker <m...@contact.de> wrote:
> Fredrik Karlsson schrieb:
> > On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de>
> wrote:
> >> Your working far too hard. The sqlite Tcl binding already does all thats
> needed.
> >>
> >> This is perfectly safe:
> >> set result [db1 eval {select * from X where label = $myStringValue and
> id >
> >> $compId}]
> >>
> >> But you MUST use {} to quote your query and not "", so sqlite gets to do
> the
> >> substitution (or better said convert things to prepared statements and
> bind
> >> values correctly) and not Tcl.
> >>
> >> Michael
> >
> > Hi Michael,
> >
> > Ok, I can see how this would be the easiest solution, but what I am
> > doing is basically a query builder (maping of comands in a specialized
> > language to pattern subselects in SQL queries). Since the statements
> > can be nested in many different ways, I cannot expect to be able to
> > construct the query and keeping track of variable names to be used in
> > the final substitution, so that I can make use of the built in binding
> > feature of sqlite.... It is much to much hard work.
> >
>
> I don't think so.
>
> Just use an array to store your values and prefix the names with the
> identifier of your subpattern. Now when you emit your subpattern via
> [format] or some other method just add the appropriate prefixed bind
> variables. Should not be too hard.
>
> > Instead, I think I need to make each part of the query return a
> > complete (not to be evaluated further outside of sqlite) SQL query
> > subselect statement, which is why I think I need to make sure that the
> > values I insert is safe inside an SQL statement myself.
> > Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry
> > for making this into a Tcl question now..)
>
> Its the wrong way. See the mess you get with mysql_real_escape() in PHP and
> you know its wrong.
>
> Michael
>
> --
> Michael Schlenker
> Software Engineer
>
> CONTACT Software GmbH Tel.: +49 (421) 20153-80
> Wiener Straße 1-3 Fax: +49 (421) 20153-41
> 28359 Bremen
> http://www.contact.de/ E-Mail: m...@contact.de
>
> Sitz der Gesellschaft: Bremen
> Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe
> Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
--
VerifEye Technologies Inc.
905-948-0015x245
7100 Warden Ave, Unit 3
Markham ON, L3R 8B5
Canada
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
