> On Jul 21, 2017, at 6:45 AM, Peter Da Silva <peter.dasi...@flightaware.com> > wrote: > > Have a look at prepared statements and statement parameters.
Agreed. PLEASE, PLEASE, do not try to splice parameters into SQL strings! Any mistakes in this code leave you vulnerable to SQL Injection Attacks, which are depressingly common and cause great damage in the real world. (Some of the examples already posted in this thread contain such mistakes…) SQLite, like every other SQL database I know of, has APIs that let you safely plug runtime parameters into statements without having to do string concatenation or quoting or sanitization. The resulting code is safe, more readable, and as a bonus it’s faster because the database only has to compile and optimize the statement once, no matter how many times it runs. —Jens _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users