> On Feb 11, 2020, at 2:10 AM, Digital Dog <[email protected]> wrote:
>
> Thanks for enlighening again. It was just a thought. It seems it would be a
> lot of design and code to maintain the performance while preventing the
> original problem from happening. Not worth the trouble. But maybe
> increasing the parameter count to 10.000 would not hurt?
I ran into this a few months ago. I ended up just biting the bullet and
constructing a SQL statement by hand, concatenating comma-separated values
inside an "IN (…)" expression.
Yes, SQL injection is a danger. But if you're being bad in just one place, and
you review that code, you can do this safely. SQLite's C API even has a
function that escapes strings for you, and if you're not coding in C/C++, it's
easy to write your own; basically
str ⟶ "'" + str.replace("'", "''") + "'"
—Jens
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
