Peeking at the SQLite source code, I see different usage pattern or the sqlite3_mprintf() function: - sqlite3_mprintf("direct static string without %"); - sqlite3_mprintf("%s", zString);
What's the recommended usage and best practice for this function? I think that using the sqlite3_mprintf(zString) function on an untrusted string, could lead to a security problem (buffer overflow) in case zString *could* contain some "%..." format strings, and the - normal - practice should be: - use sqlite3_mprintf("%s", zString); when the string could be provided by user code (and may contain format strings) - use sqlite3_mprintf("direct static string without %"); when we are absolutely sure that the string cannot, in any situation, contain format strings. Is that all or are there other considerations to take into account? Thanks and have a nice day, Aladdin _________________________________________________________________ Caroline vient de mettre à jour son profil Messenger ! Connectez-vous ! http://login.live.com/login.srf?wa=wsignin1.0&rpsnv=10&ct=1198837564&rver=4.0.1534.0&wp=MBI&wreply=http:%2F%2Fhome.services.spaces.live.com%2F&lc=1036&id=73625 _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users