On Wed, 24 Sep 2014 20:53:32 +0100 Nathaniel Trellice <napt...@yahoo.co.uk> wrote:
> > > You are doing CREATE TABLE statements based on text from an > > > untrusted user? Really? > > > My reaction exactly. > > > I'm writing a library so the safety of the input is out of my hands > and in that of the application writers who work 'above' me. I neither > want to burden them with the responsibility to escape strings nor > trust them to remember to do so. Fair enough. I can see why you'd want to use parameterized queries for that. And it looks as though you might get your wish. I guess if I were in your shoes I'd run the input through sqlite3_snprintf with %q, to safely double any quotes. --jkl _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users