On Wed, Jul 04, 2012 at 01:09:01AM -0500, Nico Williams scratched on the wall:
> But this would > just be a glorified (if safer) variant of sqlite3_mprintf() -- for > apps that allow users to manipulate the schema this could actually be > a good improvement. The sqlite3_*printf() family supports the %w option specifically for the safe formatting identifiers. Like the %q option, you need to include the quotes in your string literal. So your modified prepare would look something like this: sql_str = sqlite3_mprintf( "DROP TABLE \"%w\"", table_name ); sqlite3_prepare_v2( db, sql_str, -1, &stmt, NULL ); sqlite3_free( sql_str ); -j -- Jay A. Kreibich < J A Y @ K R E I B I.C H > "Intelligence is like underwear: it is important that you have it, but showing it to the wrong people has the tendency to make them feel uncomfortable." -- Angela Johnson _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
