Using Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.
You can use triggers to do some basic data validation. That could prevent, for example:
string fields from exceeding a certain length
string fields from matching certain patterns (like SQL statements)
CREATE TRIGGER fku_Validate_xTable_xField BEFORE UPDATE OF xField ON [xTable] FOR EACH ROW WHEN length( New.xField) > 20
SELECT RAISE(ROLLBACK, 'update on table xTable violates field length constraint');
I think you could try using the LIKE or GLOB operators to check pattern matching, but you could always roll your own custom function to use PowerBASIC's REGEXP string functions too:
BTW - I think that (ie. not tested) adding a trigger that calls a custom proc will guarantee failure of any update (insert or delete according to the nature of the trigger) if the custom function isn't loaded (another possible layer of security preventing manipulation of the DB outside from a 3rd party source [or directly]).
QuoteUsing Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.
This is an old thread from 2015, but these answers were not given.
Today is 12/19/2018.
I've wondered who would inject the code in a local network?
If they can inject code they can just as easily write sql statements or delete a database.
If used over the internet the transmits should be encrypted so they shouldn't be able to inject.
I like slExeBind because text can be inserted "as is" without needing to wrap text with $SQ and also wrap embedded $SQ's.