I am in the process of porting an app from desktop to web. I would like to use a local (i.e. on the same server) SQlite DB. Do I need to use prepared statements between the web app and the SQlite DB under these circumstances ?
I ask because I do not know how the web edition client (i.e. running on the user’s computer) talks to the server CGI application, and whether the client sends the statement or just sends the “pushed button A” kind of information about the user interface.
[quote=202186:@scott boss]any time you take input from a user, you can have SQL injection. Any time you take input from a user, sanitize it before sending it to the database.
now if you take zero input from the user ever, then it is much harder for sql injection.[/quote]
But still a good practice to get into, because it’s probable that something user-controlled will eventually make it to a database in some fashion.
The web “client” is the browser. All it does is send “pushed button A” messages to your Xojo code running on the server. Your code has virtually no access to the client machine. It can only access the server’s hardware and resources. (The normal Xojo mechanisms can be extended beyond the foregoing, but that is beyond the typical Xojo web app.)