On Wed, Feb 12, 2020 at 9:02 PM Eric Grange <zar...@gmail.com> wrote: > [...] This is completely safe vs SQL injection, and IME quite efficient. [...]
I disagree that this is efficient enough. I'd much rather have native support in SQLite for array binding, in the public API, than this. That public API could wrap what carray does perhaps, except in a type-safe way (which carray is not IMHO). e.g., the API could be, for SQL "select rowid from tab where owner = ? and name_id in (?)": sqlite3_bind_int(stmt, 1, scalar_int_val); sqlite3_bind_array_begin(stmt, 2, vector_int_val.size()); // size hint, to pre-size internal buffers for (int i : vector_int_val) { // C++11 range-for loop sqlite3_bind_int(stmt, 2, i); } sqlite3_bind_array_end(stmt, 2); That syntax is completely made up, but with the equivalent of carray(), SQLite could efficiently "do the right thing" (perhaps rewriting the SQL into a join), knows the cardinatity of the array, so can order the join correctly, etc... The above approach adds only two APIs, and reuses the existing bind APIs, to avoid duplicating them all with array-variants. FWIW :). --DD _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users