429065 - add method for directly escaping string for use in queries

Status: RESOLVED INACTIVE

(Toolkit :: Storage, defect)

Description

[Myk Melez [:myk] [@mykmelez]]

Bound parameters are best in most cases, but they are overcomplicated to use in some, like a query whose WHERE clause has an IN condition that references a dynamic number of strings, i.e.:

UPDATE foo SET bar = 'baz' WHERE bar IN ('a', 'b', 'c', ...);

If we had a method that directly escaped (and quoted) a string, generating this query in JS would be as simple as:

"UPDATE foo SET bar = 'baz' WHERE bar IN (" + array.map(escape).join(", ") + ")"

Per the C language interface to SQLite version 2 <http://sqlite.org/c_interface.html>, which also applies to version 3, I think, one can use sqlite_mprintf with the %q and %Q extensions to escape and escape+quote strings, respectively.

It might even be possible to use sqlite_vmprintf to escape multiple strings at once, although it's not clear what it outputs (perhaps a comma-delimited list of quoted strings?).
`

Comment 1

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.