[sqlite] Fwd: SAVEPOINT name

[Baruch Burstein]

On Thu, May 21, 2015 at 7:15 PM, Simon Slavin  wrote:
>
>
> Also, savepoint names can't be used as parameters when binding.


Does that mean that I can't prepare this: "SAVEPOINT :name"? What would be
the recommended method of preventing SQL injection for this?

-- 
?u?op-?p?sdn s? ?o??uo? ?no? 's??? p??? u?? no? ??

[sqlite] Fwd: SAVEPOINT name

[Baruch Burstein]

Hi,

What are the restrictions (if any) on a sve point name? Alphanumeric? Same
as a string (enclosed in ' ' if necessary)? Something else?

Thank you,
Baruch

-- 
?u?op-?p?sdn s? ?o??uo? ?no? 's??? p??? u?? no? ??

[sqlite] Fwd: SAVEPOINT name

[Simon Slavin]

On 21 May 2015, at 3:56pm, Baruch Burstein  wrote:

> What are the restrictions (if any) on a sve point name? Alphanumeric? Same
> as a string (enclosed in ' ' if necessary)? Something else?

No official documentation, as far as I know.  The nearest is this:



It's an entity name, not a string, so the restrictions should be the same as 
those on table names and column names.  I think you need to double-quote them 
if you want spaces in them or use square brackets if you want to use 
punctuation in them.

Also, savepoint names can't be used as parameters when binding.

Simon.

[sqlite] Fwd: SAVEPOINT name

[Igor Tandetnik]

On 5/21/2015 3:51 PM, Baruch Burstein wrote:
> Does that mean that I can't prepare this: "SAVEPOINT :name"?

Yes.

> What would be the recommended method of preventing SQL injection for this?

Do you plan to run SAVEPOINT "user-provided-string"? What for, if you 
don't mind me asking?
-- 
Igor Tandetnik