logo       
<prev    next>

Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili: msg#00866

sqlite-users

Subject: Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions

Roger:

Thanks for your input.

Really already I was using the suggested functions, but for some reason, the
sections with strings where user inputs can be adds single quotes, have
maintained that legacy code.

Any way thanks again,althought I need verify that the "bind" method does not
have problems with that kind of strings.

A.J. Millan


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A.J.Millan wrote:
> Actually I have an application that regularly uses expresions as:
>
> char *zUserName = "My name";
> char *zSQL = sqlite3_mprintf ("INSERT INTO table VALUES('%q')", zUserName);

Why aren't you using bound parameters? It is far harder to do what you are
doing above, less efficient and has the potential for SQL injection attacks
(unless you remembered %q everywhere!)

These are the functions you need:

http://www.sqlite.org/c3ref/bind_blob.html

Roger
_______________________________________________
sqlite-users mailing list
sqlite-users@xxxxxxxxxx
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [sqlite] Statements that return a result set?, Dan Kennedy
Next by Date:  Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions, Roger Binns
Previous by Thread:  [sqlite] DELETE ststement not working as expected, John Loveys
Next by Thread:  Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions, Roger Binns
Indexes:  [Date] [Thread] [Top] [All Lists]

Google Custom Search
News | Mail Home | sitemap | FAQ | advertise