Sqlite3_exec is merely a wrapper around sqlite3_prepare. The name on
sqlite3_prepare is a little misleading. It is actually sqlite3_compile
and compiles your SQL into an internal metacode and applies syntax
rules. Incorrect SQL will fail on sqlite3_prepare and you can make your
program more robust by performing your prepares before you perform any
processing so that it does not fail indeterminately with a bad SQL
statement after others have been executed.
You have more program control if you do not use sqlite3_exec.
Thomas Zangl wrote:
Dear List!
I am currently in doubt if the usage of sqlite3_prepare(...) makes my
application safer.
It is usually recommended to preapre a SQL statement before using it. In
my case, I have no need to re-use them so a simple sqlite3_exec would be
sufficient. On the other side I have been told that preparing the sql
statement makes the application better protected against overflows
(buffer, integer) or sql injection.
Is that true? How does sqlite3_prepare internally work? I usually
sanitize every user input before using it as a parameter for e.g. a LIKE
search in the database. In detail I do this:
* make sure to remove all non-printable characters from the parameter
string
* escape all "_", "\" and "%" with "\" (using escapeSQLLikeString -
homemade escape function)
* print the SQL statement like this: sqlite3_mprintf("author like
'%%%q%%' ESCAPE '\\' ",
escapeSQLLikeString(author));
Is that as safe as preparing a statement? Are there any sideeffects?
Please comment :-)
TIA,
Thomas
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
