On 14 Nov 2011, at 5:53pm, Dotan Cohen wrote: > I recommend against formulating the SQL statements in Javascript. > Because if I find that page, I _will_ try to inject my own SQL.
My code on the PHP side executes only the first SQL command. And there a hash. But yes, people should be careful with doing things like that. Unfortunately there are no secure ways to communicate between JavaScript and PHP. Because whatever you do, you're still sending a text string from one to another. You might have a protocol that the text string is XML or JSON but when it comes down to it, you hacker will figure that out too. It's a nasty security problem with AJAX/SOAP/REST web apps which will be solved only when we all move to persistent SQL datastores or to websockets, both of which are in HTML5. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
