On Mon, Apr 27, 2009 at 05:06:31AM -0700, Vinnie scratched on the wall: > Hasn't anyone else used variable argument lists for binding parameters > and what not?
There is a built-in API for that: http://sqlite.org/c3ref/mprintf.html Part of the reason you may find that var-arg binding and similar techniques are not widely supported is that string-based SQL manipulation is considered dangerous. SQL injection is a very common and ridiculously successful attack, especially in the web world. It would also be nearly be non-existent if everyone used bound parameters. Generally, the issue comes down to properly quoting and escaping special characters within the values that are being passed in. It is a much harder problem than most people think, as evident by the tens-of-thousands of hacked sites out there. Bound parameters largely solve this problem as the parameter value is never inserted into the SQL statement, meaning that a string representation of the parameter value is never pushed through the SQL parser. This makes injection essentially impossible. It is possible to build a var-arg style wrapper that is based off bound parameters under the hood (if you return a statement, rather than a string), but most people are going to assume you're doing it via string manipulation, and shy away from it. If you don't like the standard '?' syntax, don't forget you can explicitly number or name your parameters. Personally I think this is the better approach anyways. Numbering the parameters explicitly also allows you to re-use them, which can be useful in complex SELECT statements. -j -- Jay A. Kreibich < J A Y @ K R E I B I.C H > "Our opponent is an alien starship packed with atomic bombs. We have a protractor." "I'll go home and see if I can scrounge up a ruler and a piece of string." --from Anathem by Neal Stephenson _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
