http://unixwiz.net/techtips/sql-injection.html is a nice introduction to sql injection attacks. (Learning by example) It also explains why binding is far superior to trying to invent a set of rules and cleaning the input.
. On Thu, Jul 16, 2009 at 9:01 AM, Michael Schlenker <m...@contact.de> wrote: > Fredrik Karlsson schrieb: > > On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de> > wrote: > >> Your working far too hard. The sqlite Tcl binding already does all thats > needed. > >> > >> This is perfectly safe: > >> set result [db1 eval {select * from X where label = $myStringValue and > id > > >> $compId}] > >> > >> But you MUST use {} to quote your query and not "", so sqlite gets to do > the > >> substitution (or better said convert things to prepared statements and > bind > >> values correctly) and not Tcl. > >> > >> Michael > > > > Hi Michael, > > > > Ok, I can see how this would be the easiest solution, but what I am > > doing is basically a query builder (maping of comands in a specialized > > language to pattern subselects in SQL queries). Since the statements > > can be nested in many different ways, I cannot expect to be able to > > construct the query and keeping track of variable names to be used in > > the final substitution, so that I can make use of the built in binding > > feature of sqlite.... It is much to much hard work. > > > > I don't think so. > > Just use an array to store your values and prefix the names with the > identifier of your subpattern. Now when you emit your subpattern via > [format] or some other method just add the appropriate prefixed bind > variables. Should not be too hard. > > > Instead, I think I need to make each part of the query return a > > complete (not to be evaluated further outside of sqlite) SQL query > > subselect statement, which is why I think I need to make sure that the > > values I insert is safe inside an SQL statement myself. > > Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry > > for making this into a Tcl question now..) > > Its the wrong way. See the mess you get with mysql_real_escape() in PHP and > you know its wrong. > > Michael > > -- > Michael Schlenker > Software Engineer > > CONTACT Software GmbH Tel.: +49 (421) 20153-80 > Wiener Straße 1-3 Fax: +49 (421) 20153-41 > 28359 Bremen > http://www.contact.de/ E-Mail: m...@contact.de > > Sitz der Gesellschaft: Bremen > Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe > Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215 > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- VerifEye Technologies Inc. 905-948-0015x245 7100 Warden Ave, Unit 3 Markham ON, L3R 8B5 Canada _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users