[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cuirass news

From: Danny Milosavljevic
Subject: Re: Cuirass news
Date: Fri, 26 Jan 2018 15:30:05 +0100

Hi Ludo,

I saw that (cuirass database) has some problems with sql injection.
I defused it a little, see attached patch.

The idea is that sqlite-exec uses sqlite-bind to pass arguments
rather than formatting them on its own.

While we are at it, we can also reuse prepared statements (using the
sqltext as key to find the right one).

I also monitor sqlite accesses now - maybe that's overkill (see "with-mutex").

Attachment: 0001-database-Make-sqlite-exec-reuse-the-prepared-stateme.patch
Description: Text Data

reply via email to

[Prev in Thread] Current Thread [Next in Thread]