Dear List!
I am currently in doubt if the usage of sqlite3_prepare(...) makes my
application safer.
It is usually recommended to preapre a SQL statement before using it. In
my case, I have no need to re-use them so a simple sqlite3_exec would be
sufficient. On the other side I have been told that preparing the sql
statement makes the application better protected against overflows
(buffer, integer) or sql injection.
Is that true? How does sqlite3_prepare internally work? I usually
sanitize every user input before using it as a parameter for e.g. a LIKE
search in the database. In detail I do this:
* make sure to remove all non-printable characters from the parameter string
* escape all "_", "\" and "%" with "\" (using escapeSQLLikeString -
homemade escape function)
* print the SQL statement like this: sqlite3_mprintf("author like
'%%%q%%' ESCAPE '\\' ",
escapeSQLLikeString(author));
Is that as safe as preparing a statement? Are there any sideeffects?
Please comment :-)
TIA,
Thomas
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
