Menu
Given the statement:
const char *sql = "INSERT INTO FooTable (barStr) VALUES (?)";
is the following use of sqlite3_bind_text (and related sqlite3_bind_* functions) sufficient to prevent SQL injection attacks?
sqlite3 *db;
sqlite3_stmt *dbps;
int dbrc = sqlite3_open([dbFilePath UTF8String], &db);
if (dbrc) {
// handle error
return;
}
dbrc = sqlite3_prepare_v2 (db, sql, -1, &dbps, NULL);
sqlite3_bind_text(dbps, 1, [userContent UTF8String], -1, SQLITE_TRANSIENT);
dbrc = sqlite3_step(dbps);
if (SQLITE_DONE != dbrc) {
// handle error
}
sqlite3_finalize (dbps);
sqlite3_close(db);
544
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
Cloudflare's Web Application Firewall (WAF) protects your website from SQL injection, cross-site scripting (XSS) and zero-day attacks, including OWASP-identified vulnerabilities and threats targeting the application layer.
Yes, if you only pass the user supplied data to sqlite3_bind_* functions, then you are safe from SQL injection attacks (these attacks assume that you dynamically build your query string and don't quote/escape the user supplied data correctly).
92
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
