In C API one can avoid the problem using sqlite3_bind_parameter_index https://www.sqlite.org/c3ref/bind_parameter_index.html
select something from table where wsidint = @wsid_int; int wsid_intVal=5; //for the sake of argument. (no pun intended) sqlite3_bind_int(ppStmt, sqlite3_bind_parameter_index(ppStmt, "@wsid_int"), wsid_intVal) Adam DeVita On Mon, Mar 2, 2015 at 11:01 AM, Simon Slavin <slavins at bigfraud.org> wrote: > > On 2 Mar 2015, at 12:23am, Jay Kreibich <jay at kreibi.ch> wrote: > > > Every database I?ve every used starts SQL parameter indexes from 1. I?m > not sure it is part of the SQL standard, but it is more or less the defacto > standard of SQL APIs, and might be considered part of the SQL language. > > I hope the SQLite library does something appropriate if you try to bind to > parameter 0. It would seem to be an excellent avenue for a security bug if > nothing tests for it. > > Simon. > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users > -- -------------- VerifEye Technologies Inc. 151 Whitehall Dr. Unit 2 Markham, ON L3R 9T1
