How to prevent sql injection/escape input in sqlite

Asked Mar 26 '17 at 11:34

Active Mar 27 '17 at 18:50

Viewed 531 times

I'm using guile-dbi/sqlite and I have code like this:

(dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
                                 username
                                 "'"))

How can I escape username given from user to prevent sql injection?

I could validate username to only contain letters using [a-zA-Z] but what about other languages that have non latin letters and names like O'Conor?

edited Mar 27 '17 at 18:50

asked Mar 26 '17 at 11:34

jcubic

61,973
54
229
402

This is a hard problem. Instead of accepting only Latin characters, you should exclude characters that have a special meaning for SQL, however. This might help: http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet – Michael Vehrs Mar 27 '17 at 05:57
@MichaelVehrs unfortunately there are no info about sqlite, that I'm using. – jcubic Mar 27 '17 at 14:14
Sorry about that. The obvious culprits are `;`, `'` and `--`. There may be others. I suggest looking at one or more implementations of query builders. – Michael Vehrs Mar 28 '17 at 05:52

How to prevent sql injection/escape input in sqlite

0 Answers0