Menu
I am trying to create a table in a SQLite database based on user provided text. Everything was working correctly, except when I tried to add an apostrophe inside the text (which was to be the new table name). After research, I determined that what I was doing is not the best practice as is vulnerable to injection:
const char *sqlStr = [[NSString stringWithFormat:@"CREATE Table '%@' ('Name' 'char(50)','ID' 'integer')",theString]UTF8String];
So I am trying to find a way to allow apostrophes to be included in the table name and safely inserting the value into the database. I have read about binding values, but is this possible with the 'CREATE TABLE' statement? Or only when you insert data into an already existing table?
Thanks for your help.
650
From the documentation:
A string constant is formed by enclosing the string in single quotes ('). A single quote within the string can be encoded by putting two single quotes in a row - as in Pascal.
Thus:
[theString stringByReplacingOccurrencesOfString:@"'" withString:@"''"];
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
