On 11 Aug 2016, at 5:32am, Jay Kreibich <j...@kreibi.ch> wrote: > In short, if you’re using string manipulation functions to build your query > string, you’re very very very very likely doing it wrong.
There are situations where it's the best (possibly only) way, though. If you want to offer your users a flexible search/sort ability then there can be too many different possibilities to store all the possible queries. A clearer formulation of the above is that when you build your SQL command string, you do not build it directly from user input. So using a bunch of 'IF' statements to build a 'SELECT' string is okay. Allowing the user to pick a column name from a popup list you populate, and concatenating a 'SELECT' string including the one the user picked is okay. But allowing the user to type a column name and concatenating a 'SELECT' string including what the user typed is not. Simon. _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
