On Thu, Jun 10, 2010 at 12:12:54PM -0500, Jay A. Kreibich scratched on the wall:
> On Thu, Jun 10, 2010 at 07:02:02PM +0200, Jean-Christophe Deschamps scratched
> on the wall:
>
> > >I am parsing fields on the fly and then creating tables,
>
> > Can you wrap every column name inside double quotes or square brackets?
> > "Order"
>
> If you're using identifiers (table or column names) from an external
> source, you should always do this. Sanitize your inputs!
You can also use the %w token in the sqlite3_*printf() calls. It is
similar to %q, only it escapes double quotes (rather than single
quotes, like %q) inside a string. For example:
sqlite3_mprintf( "CREATE TABLE \"%w\" ( \"%w\" INTEGER[...]",
tbl_name, col1_name, ... );
This token is not documented, but it is also not marked "internal only".
http://sqlite.org/c3ref/mprintf.html
-j
--
Jay A. Kreibich < J A Y @ K R E I B I.C H >
"Intelligence is like underwear: it is important that you have it,
but showing it to the wrong people has the tendency to make them
feel uncomfortable." -- Angela Johnson
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
