On Fri, Sep 13, 2013 at 09:19:23AM -0700, dochsm scratched on the wall: > I agree with the other poster. You can just use any string manipluation > routines you like to assemble the SQL into a string and then execute it. > Take care with literals, eg where name = 'fred' might have to become where > name = ''fred'' in Delphi (thats two single quotes at each end).
To be more specific, you should never be dealing with literals if you construct an SQL statement. String manipulation is required for dynamic identifiers (table & column names), but *all* dynamic literals should be run through bind parameters. NEVER use string manipulations to deal with literal values... nearly all SQL Injection vulnerabilities could be avoided with this simple rule. -j -- Jay A. Kreibich < J A Y @ K R E I B I.C H > "Intelligence is like underwear: it is important that you have it, but showing it to the wrong people has the tendency to make them feel uncomfortable." -- Angela Johnson _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
