On 3/14/19, John Smith <[email protected]> wrote: > For example, if I write function like: > > void CreateSQL_SetName( char* buffer, int size, const char* szName, > const char* szCondition) > { > sqlite3_snprintf( size, buffer, "UPDATE my_table SET name='%s' WHERE > %s", szName, szCondition); > } > > Does SQLite 'sqlite3_snprintf()' processes the strings 'szName' and > 'szCondition' to verify they do not contain escape sequence that may inject > other SQL statements into this statement?
It does if you use %q or %Q instead of %s. See https://www.sqlite.org/printf.html#percentq -- D. Richard Hipp [email protected] _______________________________________________ sqlite-users mailing list [email protected] http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
