Is there any C SQLite API for quoting/escaping the name of a table?

It's impossible to sqlite3_bind_text a table name because sqlite3_prepare_v2 fails to prepare a statement such as:

SELECT * FROM ? ;

I presume the table name is needed to parse the statement, so the quoting needs to have happened before sqlite3_prepare_v2.

Is there something like a sqlite3_quote_tablename? Maybe it already exists under a name I can't recognize, but I can't find anything in the functions list.

Answers


your proposed sqlite3_quote_tablename function could sanitize the input to prevent sql injection attacks. To do this it could parse the input to make sure it is a string literal. http://sqlite.org/lang_expr.html#litvalue


If a table name has invalid characters in it you can enclose the table name in double quotes, like this.

sqlite> create table "test table" (id);
sqlite> insert into "test table" values (1);
sqlite> select * from "test table";
id
----------
1

Of course you should avoid using invalid characters whenever possible. It complicates development and is almost always unnecessary (IMO the only time it is necessary is when you inherit a project that is already done this way and it's too big to change).


When using SQLite prepared statements with parameters the parameter: "specifies a placeholder in the expression for a literal value that is filled in at runtime"

Before executing any SQL statement, SQLite "compiles" the SQL string into a series of opcodes that are executed by an internal Virtual Machine. The table names and column names upon which the SQL statement operates are a necessary part of the compilation process.

You can use parameters to bind "values" to prepared statements like this:

SELECT * FROM FOO WHERE name=?;

And then call sqlite3_bind_text() to bind the string gavinbeatty to the already compiled statement. However, this architecture means that you cannot use parameters like this:

SELECT * FROM ? WHERE name=?;    // Can't bind table name as a parameter
SELECT * FROM FOO WHERE ?=10;    // Can't bind column name as a parameter

If SQLite doesn't accept table names as parameters, I don't think there is a solution for your problem...

Take into account that:

Parameters that are not assigned values using sqlite3_bind() are treated as NULL.

so in the case of your query, the table name would be NULL which of course is invalid.


I was looking for something like this too and couldn't find it either. In my case, the expected table names were always among a fixed set of tables (so those were easy to validate). The field names on the other hand weren't so I ended up filtering the string, pretty much removing everything that was not a letter, number, or underscore (I knew my fields would fit this parameters). That did the trick.


SQLite will escape identifiers for you with the %w format in the https://www.sqlite.org/printf.html family of functions.


Need Your Help

Google Analytics API - pagination

ruby google-analytics google-api google-analytics-api

I am downloading some data from Google Analytics using Google Api Client for Ruby (my Gemfile.lock sais its google-api-client (0.6.4)). I get data from google but it is so much of it that it comes ...

How to fix a cell width in a table where width = 100%

html width cell css-tables

I would like to know if it's possible, in a table where width=100%, and where each column width are % value, to get for the last column a fixed width?