Re: [sqlite] EXTERNAL: binding an IN

Mon, 12 Jul 2010 06:45:36 -0700 

Michael,

Actually I am building the string myself and it is very controlled, the Id's
are coming from an internal source, but it violates my general rule of never
building query strings.  Of course there are always exceptions to the rule
and it looks like this is one of those exceptions.

Thank you, one and all that replied!

Sam

On Mon, Jul 12, 2010 at 8:13 AM, Black, Michael (IS) <michael.bla...@ngc.com
> wrote:

> Is there any reason why you need to bind it?
>
> Can't you just build the SQL string yourself?  As long as your IN
> parameters are well-controlled I don't think it should be a security risk.
>  Plus you can check for more then one"(" after you build the string.
>
> #include <stdio.h>
> #include <string.h>
> int countparens(char *s)
> {
>        int n=0;
>        char *p;
>        while((p=strchr(s,'('))) {
>                s=p+1;
>                n++;
>        }
>        return n;
> }
> main()
> {
>        char sql[4096];
>        char param[256];
>        int inlist[4] = {1,2,3,4};
>        int i;
>        strcpy(sql,"SELECT * FROM table WHERE tabledID IN(");
>        for(i=0;i<sizeof(inlist)/sizeof(int);i++) {
>                if (i==0) sprintf(param,"%d",inlist[i]);
>                else sprintf(param,",%d",inlist[i]);
>                strcat(sql,param);
>        }
>        strcat(sql,");");
>        if (countparens(sql)>1) {
>                printf("SQL too many parens?? - %s\n",sql);
>        }
>        puts(sql);
> }
>
>
> Michael D. Black
> Senior Scientist
> Northrop Grumman Mission Systems
>
>
> ________________________________
>
> From: sqlite-users-boun...@sqlite.org on behalf of Sam Carleton
> Sent: Sun 7/11/2010 8:42 PM
> To: General Discussion of SQLite Database
> Subject: EXTERNAL:[sqlite] binding an IN
>
>
>
> Is there any way to bind to this query?
>
> SELECT * FROM table WHERE tableId IN ( ? );
>
> Where ? should be 1,2,3,4
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
>
>
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
>
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users

Reply via email to