tags:

views:

199

answers:

2

In a project I am working on, I need to insert data into a SQLite3 database via C++. In order to avoid a "little Bobby Tables" incident, I need to sanitize my database inputs. I would like to find a library that does this in C++ rather than rolling my own since that usually leads to issues. Since the application will be inserting ID3 data from MP3's into the database, the need for this is paramount since many artist, album, and song titles include invalid characters.

I found a SO post earlier (can't seem to find it now...) that detailed different query builder libraries for C++, but none of those libraries come straight out and say that they offer sanitization functionality. I'd hate to start implementing one to find out it doesn't have this functionality. There has to be a library out there that does this, but my searches have failed me.

My question is, what libraries are available that will sanitize database input in C++? I don't mind rolling my own, but I'd like to avoid it at all costs. Thanks everyone!

+2  A: 

Short answer: do not sanitise your input. Use parameterised queries instead. They are safer and faster.

1800 INFORMATION
Amen. Attempting to scan for "naughty" inputs is a losing battle; someone will come up with a devious way around your filter, and at the same time you'll upset everyone whose surname is "O'Reilly".
j_random_hacker
A: 

I'm not sure but SOCI might be able to help you as far as type conversion safety is concerned. I've personally used this and I can say it's definitely worth looking into even if your aim is just to use a sane library for wrapping database access to different backends.

Dean Michael