On 3/14/19, John Smith <paz_t...@hotmail.com> wrote: > For example, if I write function like: > > void CreateSQL_SetName( char* buffer, int size, const char* szName, > const char* szCondition) > { > sqlite3_snprintf( size, buffer, "UPDATE my_table SET name='%s' WHERE > %s", szName, szCondition); > } > > Does SQLite 'sqlite3_snprintf()' processes the strings 'szName' and > 'szCondition' to verify they do not contain escape sequence that may inject > other SQL statements into this statement?
It does if you use %q or %Q instead of %s. See https://www.sqlite.org/printf.html#percentq -- D. Richard Hipp d...@sqlite.org _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users