On Tue, 3 Mar 2015 at 03:01 Simon Slavin <slavins at bigfraud.org> wrote:
> > On 2 Mar 2015, at 12:23am, Jay Kreibich <jay at kreibi.ch> wrote: > > > Every database I?ve every used starts SQL parameter indexes from 1. I?m > not sure it is part of the SQL standard, but it is more or less the defacto > standard of SQL APIs, and might be considered part of the SQL language. > > I hope the SQLite library does something appropriate if you try to bind to > parameter 0. It would seem to be an excellent avenue for a security bug if > nothing tests for it. > SQLITE_RANGE <https://www.sqlite.org/rescode.html#range> is returned if the parameter index is out of range. https://www.sqlite.org/c3ref/bind_blob.html I can't confirm that 100% off the top of my head but I'm uncoordinated enough to repeatedly confuse the bind and column value API calls and use 0-based indices for both and haven't noticed any really untoward behaviour (beyond my code not working and requiring fixing). Regards, Donald Shepherd.
