On 12/8/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
I appreciate the insight, but I'm not sure it helps with my situation.
This is what I'm trying to accomplish:
1. User selects 1 or more fields from a table using basic "SELECT fields
FROM table" syntax, and the result is retrieved using sqlite_get_table
(this is still in v2.8x)
2. User calls a function that says "I want to update field 3 in row 10".
I have to construct a query that says "UPDATE table SET field3 = value
WHERE ROWID = xxxx"
I can construct the update statement without much issue, but I need
to know whether or not I should put quotes around value, so I need
to know whether or not field3 is a text type field. I hope that explains
my situation a little better.
You'll need to do more than put quotes around the value!
Instead of taking this route, could you construct an UPDATE using bind
placeholders ("?"), then bind parameters using the appropriate type
you've received? Then sqlite itself will take care of whatever
quoting is necessary. This removes an entire class of sql injection
attack.
-scott
-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------
