search

praeclarum / sqlite-net

Simple, powerful, cross-platform SQLite client and ORM for .NET
MIT License
4k stars 1.42k forks source link

Add method to escape string #382

Open MKuckert opened 9 years ago

MKuckert commented 9 years ago

The binding mechanism of the extension is pretty nice and convenient, but sometimes it's easier to build a large query by concatenating many different strings. This makes the code vulnerable for SQL Injections by breaking out of quotes string parts.

The sqlite Library itself provides a method sqlite3_mprintf to quote a string for safe query inclusion (usage is mySafeString = sqlite3_mprintf('%q', myUnsafeString);). Is there any possibility to include the sqlite3_mprintf-function or a simpler Escape-method with direct usage of the function into the library?

AlexKven commented 8 years ago

This has been causing me great grief for the past 4 hours. Given that it handles class structures and parsing out properties, the fact that it doesn't escape them is just silly.

praeclarum commented 7 years ago

Yeah this sounds good to have!

@AlexKven because this library uses parameterization, it doesn't need to escape arguments.