Agreed. I would hope that the application (at a higher level) is performing type checks on the input data before attempting any insertion...
On Thu, Apr 29, 2010 at 8:28 AM, Igor Tandetnik <itandet...@mvps.org> wrote: > Alexey Pechnikov <pechni...@mobigroup.ru> > wrote: > > Do you want produce SQL-injections security holes? When database > > engine can convert datatypes on demand we may quoting all values from > > web forms and all other external sources. > > Don't build SQL statements on the fly - use parameterized queries to > protect against SQL injections. This also eliminates most concerns about > type mismatches and such. When you bind a value to a parameter, you > explicitly specify the type of that value - you are unlikely to accidentally > pass a string when an int is needed, say (and if you do, it's probably a bug > in your program). > -- > Igor Tandetnik > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@sqlite.org > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > -- Paul Rigor Pre-doctoral BIT Fellow and Graduate Student Institute for Genomics and Bioinformatics Donald Bren School of Information and Computer Sciences University of California, Irvine http://www.ics.uci.edu/~prigor _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
