使用撇号将数据安全插入 SQLite 数据库
我正在尝试根据用户提供的文本在 SQLite 数据库中创建一个表。一切工作正常,除了当我尝试在文本中添加撇号(这将是新的表名称)时。经过研究,我确定我所做的不是最佳实践,因为很容易受到注入:
const char *sqlStr = [[NSString stringWithFormat:@"CREATE Table '%@' ('Name' 'char(50)','ID' 'integer')",theString]UTF8String];
因此我试图找到一种方法,允许撇号包含在表名称中并将值安全地插入数据库中。我已阅读有关绑定值的内容,但这可以通过“CREATE TABLE”语句实现吗?或者仅当您将数据插入到已经存在的表中时?
感谢您的帮助。
I am trying to create a table in a SQLite database based on user provided text. Everything was working correctly, except when I tried to add an apostrophe inside the text (which was to be the new table name). After research, I determined that what I was doing is not the best practice as is vulnerable to injection:
const char *sqlStr = [[NSString stringWithFormat:@"CREATE Table '%@' ('Name' 'char(50)','ID' 'integer')",theString]UTF8String];
So I am trying to find a way to allow apostrophes to be included in the table name and safely inserting the value into the database. I have read about binding values, but is this possible with the 'CREATE TABLE' statement? Or only when you insert data into an already existing table?
Thanks for your help.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
来自文档:
因此:
From the documentation:
Thus: