Alexey Pechnikov <pechni...@mobigroup.ru> wrote: > Do you want produce SQL-injections security holes? When database > engine can convert datatypes on demand we may quoting all values from > web forms and all other external sources.
Don't build SQL statements on the fly - use parameterized queries to protect against SQL injections. This also eliminates most concerns about type mismatches and such. When you bind a value to a parameter, you explicitly specify the type of that value - you are unlikely to accidentally pass a string when an int is needed, say (and if you do, it's probably a bug in your program). -- Igor Tandetnik _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
