On February 11, 2020 1:43:30 p.m. EST, Jens Alfke <j...@mooseyard.com> wrote:
>I ran into this a few months ago. I ended up just biting the bullet and
>constructing a SQL statement by hand, concatenating comma-separated
>values inside an "IN (…)" expression.
>
>Yes, SQL injection is a danger. But if you're being bad in just one
>place, and you review that code, you can do this safely. SQLite's C API
>even has a function that escapes strings for you, and if you're not
>coding in C/C++, it's easy to write your own; basically
> str ⟶ "'" + str.replace("'", "''") + "'"
Same here, for what it's worth. Since SQLite also has a 1M byte statement
length limit I had my application embed terms once an IN() expression exceeded
a certain number of terms, but used parameters always for string terms longer
than a couple hundred bytes.
--
J. King
_______________________________________________
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
