On the off chance that you take client contribution through a site page and addition it into a SQLite information base quite possibly's you have left yourself totally open for a security issue known as SQL Injection. In this part, you will figure out how to help keep this from occurring and help you secure your contents and SQLite articulations.
Infusion as a rule happens when you ask a client for input, similar to their name, and rather than a name they give you a SQLite proclamation that you will accidentally run on your information base.
Never trust client gave information, measure this information simply after approval; generally speaking, this is finished by design coordinating. In the accompanying model, the username is limited to alphanumerical burns in addition to underscore and to a length somewhere in the range of 8 and 20 singes - alter these guidelines varying.
on the off chance that (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)){
if (preg_match("/^\w{8,20}$/", $_GET['username'], $matches)){
$db = new SQLiteDatabase('filename');
$result = @$db->query("SELECT * FROM users WHERE username = $matches[0]");
} else {
echo "username not accepted";
}
To exhibit the issue, think about this passage −
$name = "Qadir'; DELETE FROM users;";
@$db->query("SELECT * FROM users WHERE username = '{$name}'");
The capacity call should recover a record from the clients table where the name segment coordinates the name determined by the client. Under ordinary conditions, $name would just contain alphanumeric characters and maybe spaces, for example, the string ilia. Anyway for this situation, by attaching an altogether new question to $name, the call to the information base transforms into a catastrophe: the infused DELETE inquiry eliminates all records from clients.
There are data sets interfaces which don't allow inquiry stacking or executing different questions in a solitary capacity call. On the off chance that you attempt to stack questions, the call bombs yet SQLite and PostgreSQL, joyfully perform stacked inquiries, executing the entirety of the inquiries gave in one string and making a genuine security issue.
Preventing SQL Injection
You can deal with all getaway characters intelligently in scripting dialects like PERL and PHP. Programming language PHP gives the capacity string sqlite_escape_string() to get away from input characters that are extraordinary to SQLite.
if (get_magic_quotes_gpc()) {
$name = sqlite_escape_string($name);
}
$result = @$db->query("SELECT * FROM users WHERE username = '{$name}'");
Albeit the encoding makes it protected to embed the information, it will deliver straightforward content correlations and LIKE statements in your inquiries unusable for the segments that contain the parallel information.
Note − addslashes() ought NOT be utilized to cite your strings for SQLite inquiries; it will prompt peculiar outcomes while recovering your information.