Are the 'sqlite3_snprintf()' family protected against SQL injection?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Are the 'sqlite3_snprintf()' family protected against SQL injection?

John Smith
For example, if I write function like:

    void CreateSQL_SetName( char* buffer, int size, const char* szName, const char* szCondition)
    {
        sqlite3_snprintf( size, buffer, "UPDATE my_table SET name='%s' WHERE %s", szName, szCondition);
    }

Does SQLite 'sqlite3_snprintf()' processes the strings 'szName' and 'szCondition' to verify they do not contain escape sequence that may inject other SQL statements into this statement?

Thanks!
John
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
Reply | Threaded
Open this post in threaded view
|

Re: Are the 'sqlite3_snprintf()' family protected against SQL injection?

Richard Hipp-3
On 3/14/19, John Smith <[hidden email]> wrote:

> For example, if I write function like:
>
>     void CreateSQL_SetName( char* buffer, int size, const char* szName,
> const char* szCondition)
>     {
>         sqlite3_snprintf( size, buffer, "UPDATE my_table SET name='%s' WHERE
> %s", szName, szCondition);
>     }
>
> Does SQLite 'sqlite3_snprintf()' processes the strings 'szName' and
> 'szCondition' to verify they do not contain escape sequence that may inject
> other SQL statements into this statement?

It does if you use %q or %Q instead of %s.  See
https://www.sqlite.org/printf.html#percentq

--
D. Richard Hipp
[hidden email]
_______________________________________________
sqlite-users mailing list
[hidden email]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users