Thomas Zangl <[EMAIL PROTECTED]> wrote:
Compare with this program:
string userInput;
string sql = "update UserPrefs set innocuousPref=? where
userid=123;"; sqlite3_stmt* stmt;
sqlite3_prepare(db, sql.c_str(), -1, &stmt, 0);
sqlite3_bind_text(stmt, 1, userInput.c_str(), -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
Well - ok ;-) I am quite sure that my version is safe but anyway I
tried sqlite3_prepare. Now I have some problems debugging it.
I tried to use
void *sqlite3_trace(sqlite3*, void(*xTrace)(void*,const char*),
void*);
but I get the input of the prepare call - no ? replaced by the actual
values.
No, it's not. That's the whole point of the exercise - no textual
substitution is performed, so no risk of SQL injection attacks.
Unfortunately, yes, I don't see any way to capture the values of bound
parameters in the trace function.
Any ideas how to debug this? I have doubts that my SQL statement is
bound correctly.
What makes you think so? Do you not get expected results?
What I try todo is something like this:
// SQL Statement is: "SELECT * FROM table WHERE name LIKE ?"
search = '%test%';
qlite3_bind_text(prepared_statement, 0,search , search ,
SQLITE_STATIC);
Parameters are numbered from 1, not 0 (not sure why). I also don't see
how passing "search" twice could compile: one parameter expects char*
while the other expects int.
Igor Tandetnik
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
