On Mon, Jun 18, 2012 at 10:34:38AM +0300, Baruch Burstein scratched on the wall:
> Is there a built-in way to escape a GLOB pattern? Will it escape it if I
> bind it to a parameter in a prepared function instead of embedding it
> directly in the query string?
If it is an identifier (table name, column name, etc.), use double
quotes. Double quites can be escaped by using two in a row.
For example:
CREATE TABLE t ( "a*b""c" INT );
Will create a column with the name a*b"c.
For string literals, you need to use single quotes. Same rules apply.
Parameters do not require escapes, and the values inside a parameter
will not be evaluated as part of the SQL statement. This is why
parameters are invaluable in preventing injection attacks. Parameters
can only be used for data values, however, not identifiers. So,
while you do not have to escape a * inside a parameter, you cannot
use a parameter to reference the name of a table or column.
-j
--
Jay A. Kreibich < J A Y @ K R E I B I.C H >
"Intelligence is like underwear: it is important that you have it,
but showing it to the wrong people has the tendency to make them
feel uncomfortable." -- Angela Johnson
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
