> On Sep 14, 2017, at 11:10 AM, Warren Young <war...@etr-usa.com> wrote: > > You probably just wrote a SQL injection vulnerability. > Use prepared statements, [named] parameters, and the “bind” functions to > build the query string instead.
Yeah, you're right. I was trying to keep the example as simple as possible since the OP is a newbie, but it's not much harder to add a "?" parameter. However, some string concatenation is still needed in this case since the table name is not known at compile time. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users