views:

20

answers:

1

For example if I had this predicate format string, would that have the same security benefits like prepared statements in SQL offer?

@"name == $LAST_NAME"

I am not sure if this is a plain stupid substitution which still allows bad "SQL" injection to core data, or if this is just as good as prepared statements known from modern db technologies?

+1  A: 

You are not running on a server and any user is going to get complete access to the sqlite file anyway so there is no security there to subvert.

In addition, this is a predicate and it is not a stored sql statement. When your application runs the predicate, Core Data will do the translation to sql, it does not store that translation.

In short, nothing to fear here.

Marcus S. Zarra