Re: [sqlite] Are the 'sqlite3_snprintf()' family protected against SQL injection?

Richard Hipp Thu, 14 Mar 2019 06:55:22 -0700

On 3/14/19, John Smith <paz_t...@hotmail.com> wrote:
> For example, if I write function like:
>
>     void CreateSQL_SetName( char* buffer, int size, const char* szName,
> const char* szCondition)
>     {
>         sqlite3_snprintf( size, buffer, "UPDATE my_table SET name='%s' WHERE
> %s", szName, szCondition);
>     }
>
> Does SQLite 'sqlite3_snprintf()' processes the strings 'szName' and
> 'szCondition' to verify they do not contain escape sequence that may inject
> other SQL statements into this statement?


It does if you use %q or %Q instead of %s.  See
https://www.sqlite.org/printf.html#percentq

-- 
D. Richard Hipp
d...@sqlite.org
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] Are the 'sqlite3_snprintf()' family protected against SQL injection?

Reply via email to