views:

1131

answers:

1

Given the statement:

const char *sql = "INSERT INTO FooTable (barStr) VALUES (?)";

is the following use of sqlite3_bind_text (and related sqlite3_bind_* functions) sufficient to prevent SQL injection attacks?

sqlite3 *db; 
sqlite3_stmt *dbps;

int dbrc = sqlite3_open([dbFilePath UTF8String], &db); 
if (dbrc) { 
    // handle error
    return; 
} 

dbrc = sqlite3_prepare_v2 (db, sql, -1, &dbps, NULL);

sqlite3_bind_text(dbps, 1, [userContent UTF8String], -1, SQLITE_TRANSIENT);

dbrc = sqlite3_step(dbps);
if (SQLITE_DONE != dbrc) {
    // handle error
}

sqlite3_finalize (dbps); 
sqlite3_close(db);
+4  A: 

Yes, if you only pass the user supplied data to sqlite3_bind_* functions, then you are safe from SQL injection attacks (these attacks assume that you dynamically build your query string and don't quote/escape the user supplied data correctly).

cmeerw