How to protect UPDATE query from SQL injections in SQLite?

A

Alexander Kislinsky2016-07-31 20:00:18

SQL

Alexander Kislinsky, 2016-07-31 20:00:18

I am developing a mobile application in Apache Cordova, I need to store a string that can contain postrophes.
The plugin used to access sqlite does not give all the expressiveness of the native use of sql queries. In addition, on the Internet I found examples of using update only of the form

UPDATE posts SET description = 'i'm robot', postTime = '1469983320000' WHERE UID = ?

Is it possible to use a query like

UPDATE posts SET (description, postTime) VALUES (?,?) WHERE UID = ?

in order to avoid adding escape apostrophes to the string (with them the string "O'Brien" would look like "O''Brien")?
Are there other ways besides escape apostrophes?

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Alexander Kislinsky, 2016-08-13
@Luonic

In general, you cannot use preapred statement in this plugin. I made a direct replacement of single apostrophes with double apostrophes with a regexp.

A

Alexander, 2016-07-31
@yaka

If the platform is node.js, then: https://github.com/mapbox/node-sqlite3/wiki/API#da...
If different, then it makes sense to search for sqlite parameterized query

S

Stanislav Makarov, 2016-07-31
@Nipheris

https://www.sqlite.org/c3ref/prepare.html
Often this is called a preapred statement or prepared query, so it's also useful to google for these queries).
What plugin is it?