Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

about sql injection #310

Closed
KiritoStudio opened this issue Jul 4, 2014 · 5 comments
Closed

about sql injection #310

KiritoStudio opened this issue Jul 4, 2014 · 5 comments

Comments

@KiritoStudio
Copy link

Does the '?' can really prevent the sql injection? I`m new in sqlite3.
@Mithgol
Copy link
Contributor

Mithgol commented Jul 4, 2014

Yes, it can. Numbered or named parameters also can. Things are generally safe until you use the JavaScript's plus (+) to concatenate something unsafe directly into a statement's SQL.

(Basically the same question was already answered in #57.)

@KiritoStudio
Copy link
Author

@Mithgol Thanks for your reply, and what is the excepted behavior if there is '1=1' in the parameter?

@Mithgol
Copy link
Contributor

Mithgol commented Jul 7, 2014

Something like these results from Node.js REPL:

(screenshot)

@KiritoStudio
Copy link
Author

I see, Thanks a lot.

@Mithgol
Copy link
Contributor

Mithgol commented Jul 8, 2014

I guess the issue can be closed then.

@Mithgol Mithgol closed this as completed Jul 8, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@KiritoStudio @Mithgol