Is there any reason why you need to bind it?
Can't you just build the SQL string yourself? As long as your IN parameters
are well-controlled I don't think it should be a security risk. Plus you can
check for more then one"(" after you build the string.
#include <stdio.h>
#include <string.h>
int countparens(char *s)
{
int n=0;
char *p;
while((p=strchr(s,'('))) {
s=p+1;
n++;
}
return n;
}
main()
{
char sql[4096];
char param[256];
int inlist[4] = {1,2,3,4};
int i;
strcpy(sql,"SELECT * FROM table WHERE tabledID IN(");
for(i=0;i<sizeof(inlist)/sizeof(int);i++) {
if (i==0) sprintf(param,"%d",inlist[i]);
else sprintf(param,",%d",inlist[i]);
strcat(sql,param);
}
strcat(sql,");");
if (countparens(sql)>1) {
printf("SQL too many parens?? - %s\n",sql);
}
puts(sql);
}
Michael D. Black
Senior Scientist
Northrop Grumman Mission Systems
________________________________
From: sqlite-users-boun...@sqlite.org on behalf of Sam Carleton
Sent: Sun 7/11/2010 8:42 PM
To: General Discussion of SQLite Database
Subject: EXTERNAL:[sqlite] binding an IN
Is there any way to bind to this query?
SELECT * FROM table WHERE tableId IN ( ? );
Where ? should be 1,2,3,4
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
