How to write prepared statements for SQLite in iPhone? Is it possible to do SQL Injection in iPhone apps that use sqlite db?
+2
A:
I would suggest that if you're starting to develop an iPhone app now you should probably use Core Data rather than coding directly to SQLite. Having said that, creating a prepared statement is simple and well documented:
sqlite3_stmt* statement_handle;
sqlite3_prepare_v2(db, "select a,b from Table where c = ?", -1, &statement_handle, NULL);
And yes, it is possible to have SQL injection attacks in a badly coded application. Using prepared statements goes a long way to avoid it.
Stephen Darlington
2009-07-27 09:00:31
Core data is new to iPhone 3.0 right? SQLite would be safe bet, i believe, until Core Data penetrates well into the user base
Ram
2009-07-27 09:07:12
My feeling is that most people who actually buy apps already have 3.0 or will upgrade shortly. Unfortunately there's very little solid data to work on.
Stephen Darlington
2009-07-27 09:36:54
Potentially there are things you can do more readily with SQLite than with Core Data
teabot
2009-07-28 11:06:14
Absolutely. Core Data isn't the only option nor is it necessarily the best in all circumstances. But it's a good default.
Stephen Darlington
2009-07-28 11:34:23
A:
Along with Core Data, I'd also recommend looking at a higher level iPhone SQLite library such as: FMDB
teabot
2009-07-27 09:06:03
Is that "along with" or "as an alternative to"? I've been working with SQLite myself, and need to start the switchover...
Amagrammer
2009-07-27 13:57:54