tags:

views:

515

answers:

1
+1  Q: 

Objective-C: Do You Have to Escape Single Quotes in Strings Destined fo SQL?

Hi,

I'm an iPhone developer. I'm writing my unit test cases, one of which checks if the app accepts UTF8 strings to be written to a sqlite3 database. I created a test case to generate random UTF8 strings and I can see the ones that fail do so because they contain an apostrophe (') which I need to be accepted.

I'm writing to the database like this:

NSString *query=@"INSERT INTO song (id,title, duration) VALUES (?,?,?);";
sqlite3_stmt *_statement;
insert=sqlite3_prepare_v2(_database, [query UTF8String], -1, &_statement, NULL);
sqlite3_bind_text(_statement, 1, [value1 UTF8String], -1, SQLITE_TRANSIENT);
sqlite3_bind_text(_statement, 2, [value2 UTF8String], -1, SQLITE_TRANSIENT);
sqlite3_bind_text(_statement, 3, [value3 UTF8String], -1, SQLITE_TRANSIENT);
sqlite3_step(_statement);

Do I have to manually escape the apostrophes in value1-3 with a replace or something like that? If so, that's kind of lame...

+1  A: 

It's not an apostrophe in this context, it is a single quote which the compiler will see as delimiting a string. Since you're building a string to send to SQL an unescaped single quote will disrupt the string where it occurs.

You always have to escape single and double quote characters in any string context. That is true of every language not just C variants.

Heck, if you use syntax coloring the editor will usually show you that you've turned a big chunk of your code into an unterminated string.

Edit:

Okay, I did misunderstand. In general, to format input from the UI you would use a NSFormatter subclass. This basically lets you turn anything to string and back again. It's most commonly used for dates, numbers, formatted strings like phone# etc but it can perform any string related conversion or manipulation. In this case you would need a formatter to automatically escape single quotes in user inputed strings. Somebody might have already written one.

But I have to say I don't think this is the problem because:

  1. NSString is very good about handling quotes. You can even take a UTF8String with single ticks and dump it straight through printf which is notoriously fussy about such things. I'm not sure the Objective-C side of things is the problem.
  2. I haven't found any other mentions of this problem. SQL is used extensively on the iPhone and on the Mac and if the Apple API failed to address a very common input pattern, I would expect to see hundreds of post about dealing with rouge quotes in SQL queries.

I haven't futzed with SQL in a while so I can't say definitively what the problem is but I wouldn't get to focused on the Objective-C side of things.

TechZen  2010-02-28 16:13:38
well I come from java, and there if you use a prepared statement it will sanitize the quotes. I just wondered if there was a more elegant way to do it instead of replacing the quotes in every parameter.
Leg10n  2010-02-28 16:17:20
Well, I think it's borderline suicidal to put apostrophes in variable names regardless of whether safeguards exist in the language or not. You're just asking for trouble somewhere down the line.
TechZen  2010-02-28 16:20:58
I think the sanitizing in Java is actually coming from the IDE or the precompiler. If you have to use single quotes of as apostrophes, it would be trivial to write an Xcode user script to sanitize a string.
TechZen  2010-02-28 16:23:08
uhm i think you're a bit confused, i'm not talking about quotes in variable names, I'm talking about a user input that can contain quotes or apostrophes, and when they make it to the sql statement they act like a sql injection, I thought by using prepared statements, the binding would escape automatically the quotes like i mentioned java does. I don't intend to begin a flaming war or anything like that.
Leg10n  2010-02-28 16:32:29
I did misunderstand. See my edit for more info
TechZen  2010-02-28 21:23:27

related questions

How do we get arround Apple's decission to skip sms templates for iPhone?
iPhone App Crashing - Error Question
Can I write native iPhone apps using Python
Does the Iphone 1/2 have a compass inside?
How do you beta test an iphone app?
Is it just the iPhone simulator that is restricted to intel only Mac's?
iPhone App Minus App Store?
Deleting messages from Exchange IMAP mailbox on iPhone
Is there a multiplatform framework for developing iPhone / Android applications?
How can I launch the Google Maps iPhone application from within my own native application?
Tips for a successful AppStore submission?
iPhone app that access the Core Location framework over web
Virtual Mac?
What's a good machine for iPhone development?
How can I develop for iPhone using a Windows development machine?
Recommended iPhone Development Resources
Best Wiki for Mobile Users
How to programmatically send SMS on the iPhone?
iPhone - Exchange Calendars in Public Folders
iPhone web applications, templates, frameworks?
Understanding reference counting with Cocoa / Objective C
How-to articles for iPhone development, Objective-C
What are the correct pixel dimensions for an apple-touch-icon?
How do I give my web sites an icon for iPhone?
iPhone app in landscape mode