Hi, Olivier, On Tue, Jun 5, 2018 at 3:15 PM, Olivier Mascia <o...@integral.be> wrote: >> Le 5 juin 2018 à 18:19, Igor Korot <ikoro...@gmail.com> a écrit : >> >> My query is: >> >> std::string query = "PRAGMA foreign_key_list( \"%w\" )"; >> >> Then I'm doing this: >> >> char *y = sqlite3_mprintf( query.c_str(), tableName ); >> res = sqlite3_prepare_v2( m_db, y, -1, &stmt, 0 ); >> >> and then the code follows. >> >> So are you saying that this PRAGMA is not using the SELECT internally? > > I haven't dig this discussion thread in details, but you could try: > > std::string query = "SELECT * FROM pragma_foreign_key_list(?)"; > > You will then be able to bind the table name after prepare without using > printf, which is good protection against code injection depending from where > your tableName value comes from and will allow you to bind new table names > and re-run without preparing the statement again.
Thank you for the suggestion. I will try that. As a side note: is it the case for all PRAGMA's command - they can be rewritten this way? Thank you. > > -- > Best Regards, Meilleures salutations, Met vriendelijke groeten, > Olivier Mascia > > > _______________________________________________ > sqlite-users mailing list > sqlite-users@mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
