[Solved] SQLite in AutoIt: Parameterized Queries, and Receiving the Column Names after a SELECT Query

[Zohar]

Hi all

I would like to ask 2 questions regarding SQLite in AutoIt:

The First Question:
Is it possible to perform Parameterized Queries on SQLite in AutoIt?

Something like this:

SQLiteCommand C  =new SQLiteCommand(DB1);

C.CommandText  =
@"
        INSERT INTO T_Users (Name_First,Name_Last)
        VALUES (@Name_First,@Name_Last)
";

C.Parameters.AddWithValue("@Name_First",Textbox_Name_First.Text);
C.Parameters.AddWithValue("@Name_Last" ,Textbox_Name_Last.Text);

C.ExecuteNonQuery();

Just in AutoIt, instead of in C#

 

The Second Question:
Is it possible to perform a SELECT query which returns a table,
and receive not just the Data cells, but also another First row which will include the Column Names?

As an example,
instead of receiving this:

I wish to receive this:

 

Thank you very much

Edited December 12, 2021 by Zohar

[benners]

You could look at _SQLite_GetTable2d in the helpfile. There are examples there.

[Zohar]

Hi benners

Thank you very much for your reply.

Indeed, seems that _SQLite_GetTable2d() does what I want to do in Q2,
thank you very much.

So I am now looking for an answer regarding Q1 - Parameterized Queries..
Hopefully that can be achieved too.

Currently the closest thing to it that I found (in terms of Security) is
using _SQLite_Escape() and _SQLite_Encode().

Of course these 2 functions are not Parameterized Queries,
but they do give some protection from SQL Injection.

Edited December 11, 2021 by Zohar

[benners]

I'm not too clued op on databases, I can normally get by but for Q1,  you could pass the values as parameters to the function that writes to the database. If you had a GUI with inputs for first and last name, you would use guictrlread to read the input values and pass the results to the function.

If the database field type is text, use _SQLite_Escape() or _SQLite_FastEscape() to correctly quote the strings. I suppose it's up to the programmer to sanitize any passed values to make sure they are corrrect or non-malicious.

[jchd]

For Q1, here's a possible answer:

Of course the benefit is you only prepare the SQL once, but in practice having to invoke a wrapper of DllCall() for every parameter makes it often slower than a single stringized SQL statement with all parms already embedded.

About SQL injection: such thing can only happen if you don't quote the values (parms) properly.

[Zohar]

11 hours ago, jchd said:

For Q1, here's a possible answer:

Of course the benefit is you only prepare the SQL once, but in practice having to invoke a wrapper of DllCall() for every parameter makes it often slower than a single stringized SQL statement with all parms already embedded.

I see.
Thank you.
It complicates the code quite much, so I will not use it..

 

11 hours ago, jchd said:

About SQL injection: such thing can only happen if you don't quote the values (parms) properly.

Well,
you can quote the parameters properly,
but if the value(s) comes from the user, and the user starts playing with the quotes (as a part of the content that he enters), then the fact that you quoted the values properly will not help..

Am I correct?

For this reason, _SQLite_Escape() and _SQLite_Encode() are a must, when running an SQL Query that includes values that come from the user.

 

BTW,
I have a question regarding _SQLite_Escape() vs _SQLite_Encode():

If you want to store Binary data ("Blob") in the DB, then obviusly you will use _SQLite_Encode().

But If you want to store a String (Text) in the DB, then technically, you can use either one of them: _SQLite_Escape() or _SQLite_Encode().

So regarding storing a String,
will it be correct to say that we should always use just _SQLite_Escape(),
or are there cases where we store a String, and _SQLite_Encode() would be the right choice?

Edited December 12, 2021 by Zohar

[jchd]

Keep it simple: string -> *_Escape, binary -> *_Encode

Numeric values (at least true ones) don't pose any problem, unless you beg for problems:

Local $v = "123';drop table X;--haha, fool you"

If $v <> 0 Then
    ConsoleWrite("select * from x where id like '" & $v)
    ConsoleWrite(@CRLF)
EndIf

RULE: always sanitize user input.

EDIT: note that the example also works without the single quotes game.

Local $v = "123;drop table X;--haha, fool you"

If $v > 100 Then
    ConsoleWrite("select * from x where id like " & $v)
    ConsoleWrite(@CRLF)
EndIf

 

Edited December 12, 2021 by jchd

[Zohar]

Thank you very much jchd

 

Does AutoIt have Functions for Sanitizing input strings?

For example for SQL, for HTML, for JavaScript, etc..

Edited December 12, 2021 by Zohar

[TheDcoder]

40 minutes ago, Zohar said:

Does AutoIt have Functions for Sanitizing input strings?

No, you have to do that yourself according to your requirements.

[Zohar]

OK thanks.