> On Sep 14, 2017, at 11:10 AM, Warren Young <[email protected]> wrote: > > You probably just wrote a SQL injection vulnerability. > Use prepared statements, [named] parameters, and the “bind” functions to > build the query string instead.
Yeah, you're right. I was trying to keep the example as simple as possible since the OP is a newbie, but it's not much harder to add a "?" parameter. However, some string concatenation is still needed in this case since the table name is not known at compile time. —Jens _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
