ansaurus

Question

Answer 1

+3 A:

NSString *str=@"mac";

NSString *sql =[NSString stringWithFormat:@"select rowid from mytable where name = %@",str];
if (sqlite3_prepare_v2(database, [sql UTF8String], -1, &select_statement, NULL) != SQLITE_OK)
{
    NSAssert1(0, @"Error: failed to prepare statement with message '%s'.", sqlite3_errmsg(database));
}

Suriya 2010-08-30 08:47:32

not getting correct answer

2010-08-30 09:18:01

Please try this..(I have edited the code and implemented a new code) This is code i am using from a long time. Dont know why it is not working for you.

Suriya 2010-08-30 09:55:45

If `str` comes in from a text field or other user input, this is a bad idea, because it is an SQL injection vulnerability. In this case, the user isn't likely to do anything malicious to their own data, but they could still corrupt it.

Peter Hosey 2010-08-30 11:26:29

@Peter Hosey: Thanks for suggestion. But it would be the case if 'str' comes from textField. but in this case string is taken in the code as you can see it above. NSString=@"mac". Here user426795 wants to pass the name as string. Thats it.. he dint told from where the string will be coming. also he too has kept the string in code only. So its hard to accept that the string will be coming through textfield. Also i replied as per question. Rest validation will be done by the user himself na.....

Suriya 2010-08-30 11:52:13

If the value were really just there in the code, it would just be part of the query string literal, as shown in the first code example; there would be no need to splice it in. Since the question is about splicing a value from an NSString string into the query, it's much more plausible that the NSString declaration you see in the question is a stand-in for a bunch of code that gets an NSString object from somewhere else, most probably a text field.

Peter Hosey 2010-08-30 11:57:10

`How to pass variable to sqlstatements?`This is the question of the user.......In Whatever way he passes it is his issues and not at all the part of the question asked.

Suriya 2010-08-30 12:32:24

There is a right way and there are several wrong ways to pass a value in an SQL statement; the wrong ways, for certain values, do not integrate the complete value into the statement, but corrupt it. That is SQL injection, and it is not only a concern of web apps.

Peter Hosey 2010-08-30 13:12:37

Peter: Sqlite is a mostly used to store the data locally in iPhone. No other iPhone user can access the locally stored Data in your iPhone. So the matter of sqlInjection is not gonna happen over here.So its a increase of code to do all such precautive stuffs for the things which is never gonna happen.This can be the case if your application already provides user with few prefilled data in database then such precautions must be taken else its of no use.

Suriya 2010-08-30 13:20:24

As I said, SQL injection doesn't just include malicious hacking; in this case, it would lead to the user corrupting their own data.

Peter Hosey 2010-08-30 13:49:56

But my dear friend Peter.. Theres nothing to discuss about that topic as its not at all the part of the question.If user has asked about pros and cons then such thing must brought into consideration....

Suriya 2010-08-31 04:32:26

still Peter its nice idea to go according to you. and from now on i too will take care and go on your path. Thanks a lot dear.

Suriya 2010-08-31 04:35:19

Just because the questioner didn't ask about it doesn't mean it isn't relevant to the discussion. It is relevant to point out strengths and weaknesses of different solutions.

Peter Hosey 2010-08-31 13:21:39

Answer 2

+3 A:

As you've found, merely using the same text as a variable name and as a substring of a string literal does not cause the contents of the variable to be spliced into the string. The compiler could theoretically set this up for you, but it doesn't—doing this with no explicit formatting characters isn't a feature of any language I've ever heard of. Even if this were supported, you still couldn't splice NSString objects into C strings.

So, the question is how to splice the string from str into the query string.
The answer is not stringWithFormat:!

That opens you up to SQL injection, which, in the context of a database that the user is accessing from the same machine where it resides, means that the user could corrupt their data by entering the wrong thing. Trying to fix that by escaping things is an interminable game of whack-a-mole and self-doubt (“I hope that's the last of these bugs”).

The correct solution is to let SQLite splice the parameters into the query as only it knows how. You do that by preparing the statement with a question mark at every point where you need to splice in a value, then binding the value(s) into the statement. Each call to one of the bind functions will replace one not-yet-bound placeholder with the value you pass in in a way that is safe—i.e., won't create an invalid or destructive query statement.

Peter Hosey 2010-08-30 11:38:35

1+ Peter good one.

org.life.java 2010-08-30 14:20:44

Answer 3

+1 A:

@Peter Hosey is absolutely correct: the way to do this is the SQLite binding functions. However, the even better way to do this is to use a wrapper like FMDB or TouchSQL, which both allow you to use stringWithFormat: style syntax, but while still using the binding functions underneath. In other words, they do everything you want to do, but have already done it for you and (no offense) likely have done it better than you would have.

Dave DeLong 2010-08-30 15:04:46

ansaurus

tags:

views:

answers:

How to pass a variable to sqlstatement?

related questions