Re: [sqlite] Re: How safe is sqlite3_prepare compared to sqlite3_exec?

Thu, 30 Nov 2006 09:16:42 -0800 

Regarding your code snippet:

// SQL Statement is: "SELECT * FROM table WHERE name LIKE ?"
search = '%test%';
sqlite3_bind_text(prepared_statement, 0,search , search , SQLITE_STATIC);

First I'm not sure what language you're using - it seems Perl-like.
Anyways, the documentation for http://www.sqlite.org/capi3ref.html#sqlite3_bind_text gives the 4th param as the number of bytes (not chars) while you're passing the original string. Since I'm assuming it's Perl, it won't generate an error on the type mismatch. You generally want to pass -1 for the fourth parameter (from what I understand, -1 is always safe for sqlite3_bind_text). Also, take care in using SQLITE_STATIC and make sure that the string you pass remains on the heap (i.e. delete isn't called, not sure if this is possible in Perl) or the stack (i.e. local variable in scope) when you execute the statement. 

Hope this helps.
PS. As for the trace, I can't help you as I've never used it (try looking up the API reference). What I do though for my program is save to the log the string I pass to prepare. Then I print the values that in the order they are bound. 

Thomas Zangl wrote:

Igor Tandetnik schrieb:

Hi!

Compare with this program:

string userInput;
string sql = "update UserPrefs set innocuousPref=? where userid=123;";
sqlite3_stmt* stmt;
sqlite3_prepare(db, sql.c_str(), -1, &stmt, 0);
sqlite3_bind_text(stmt, 1, userInput.c_str(), -1, SQLITE_STATIC);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
Well - ok ;-) I am quite sure that my version is safe but anyway I tried sqlite3_prepare. Now I have some problems debugging it. 

I tried to use

void *sqlite3_trace(sqlite3*, void(*xTrace)(void*,const char*), void*);
but I get the input of the prepare call - no ? replaced by the actual values.
Any ideas how to debug this? I have doubts that my SQL statement is bound correctly. 

What I try todo is something like this:

// SQL Statement is: "SELECT * FROM table WHERE name LIKE ?"
search = '%test%';
qlite3_bind_text(prepared_statement, 0,search , search , SQLITE_STATIC);

Any ideas?

TIA,
Thomas
----------------------------------------------------------------------------- 
To unsubscribe, send email to [EMAIL PROTECTED]
----------------------------------------------------------------------------- 




-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------

Reply via email to