Re: [sqlite] Sanitizing module arguments in virtual table create statement

[Richard Hipp]

On 12/31/19, David Jones  wrote:
> Even though my example used the zipfile module, I want to handle the general
> case.

The virtual table mechanism passes the xCreate method of the virtual
table whatever text you enter.  It is up to the virtual table itself
to interpret that text however it wants.  Different virtual tables can
(potentially) do it differently.

-- 
D. Richard Hipp
d...@sqlite.org
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

[sqlite] Sanitizing module arguments in virtual table create statement

[David Jones]

My application naively tried preparing the statement: “CREATE VIRTUAL TABLE xxx 
USING zipfile(?1);” and
binding the name of the zip file, supplied by user, to parameter 1 for 
execution. This doesn’t work, and the documention reveals that this is by 
design. I therefore have to expand the argument(s) myself to get the
statement to prepare. The page says there are no restrictions on the argument 
other than balanced parentheses, leaving me unclear how the parser deals with 
the statement following left parenthesis after the module name.
Do I make the argument a literal and double embedded occurrences of single 
quotes?

Even though my example used the zipfile module, I want to handle the general 
case.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users