Support for parameterized criteria?
3 views
Skip to first unread message
Taylor Hughes
May 13, 2009, 2:24:25 PM5/13/09
to sqlitepersistentobjects-user
Hi,
I'm looking to do something like:
NSString *name = @"Robert'; DROP TABLE ...";
[Project findFirstByCriteria:@"WHERE name = ?", name];
Where name is some user input and the actual conditions would end up
nicely escaped. It looks like the ability to pass a format string to
xxxCriteria methods exists — "name=%@", name — but it looks like it
doesn't do any escaping (unless I'm missing something there).
Is there some common way to do this? I was thinking about running my
parameter(s) through sqlite3_mprintf("%Q", ...) first or something but
that seems clunky.
Thanks,
Taylor
I'm looking to do something like:
NSString *name = @"Robert'; DROP TABLE ...";
[Project findFirstByCriteria:@"WHERE name = ?", name];
Where name is some user input and the actual conditions would end up
nicely escaped. It looks like the ability to pass a format string to
xxxCriteria methods exists — "name=%@", name — but it looks like it
doesn't do any escaping (unless I'm missing something there).
Is there some common way to do this? I was thinking about running my
parameter(s) through sqlite3_mprintf("%Q", ...) first or something but
that seems clunky.
Thanks,
Taylor
Taylor Hughes
May 13, 2009, 8:04:18 PM5/13/09
to sqlitepersistentobjects-user
I am using the following for now:
+ (Project *) findProjectWithName:(NSString *)name
{
// Quotes the string using sqlite3_mprintf
name = [NSString stringWithUTF8String:sqlite3_mprintf("%Q", [name
UTF8String])];
return (Project*)[Project findFirstByCriteria:@"WHERE name=%@",
name];
}
On May 13, 1:24 pm, Taylor Hughes <taylor.hug...@nemeannetworks.com>
wrote:
+ (Project *) findProjectWithName:(NSString *)name
{
// Quotes the string using sqlite3_mprintf
name = [NSString stringWithUTF8String:sqlite3_mprintf("%Q", [name
UTF8String])];
return (Project*)[Project findFirstByCriteria:@"WHERE name=%@",
name];
}
On May 13, 1:24 pm, Taylor Hughes <taylor.hug...@nemeannetworks.com>
wrote:
Reply all
Reply to author
Forward
0 new messages