• Welcome, Guest. Please login.
 

Request: have a function like slExeBind for Select statements = slSelBind

Started by Steven Pringels, August 27, 2010, 05:25:54 am

Previous topic - Next topic

Steven Pringels

In order to avoid SQL injection it would be great to have a function that could bind data to select statement just like the one slExeBind does which only works for INSERT or UPDATE statements.

Cheers
Steven

Fred Meier


Steven Pringels

Hi Fred,

I have done some work on this issue my self and it works. I haven't finished yet everything but if you wish I can send you a zip file with the code in it. Mind though that the adaptation is based on version 1.30 of SQLitening.

The files that have been adopted are SQLitening.bas, SQLiteningClient.bas, SQLiteningServer and the inc file.

What needs to be done is add the ModChars for the select statement.

Just give me a shout  if you need the files (provide emailaddress :-))

Cheers
Steven

Fred Meier

Yes, I would like to use your code as a starting place.  You could zip the four files and post them here as an attachment. 

Thank You.

Steven Pringels

Hi Fred,

Thsi is a bit embarrasing. i can't get the ProcessRequest %reqSelBind return a row, I thought it worked but it doesn't yet. However here is the zip file requested.

I'm still looking further at it.

Cheers
Steven

Steven Pringels

Update !

I got the binding the work. Make sure that ...

1. You bind the variables as TEXT not BLOB
2. When you first do the sqlite3_step you get a %SQLITE3_DONE which is false. You should test for the occurance of the step count. If you get a DONE after the second call to the _step function you should abend.


cj

Thank you Steven for all the work!

It might be dangerous to replace our current files with these files because
modifications to SQLitening were made after 2010 (especially using threading.)

These modifications might be merged into the current version of the files.