add method for directly escaping string for use in queries

NEW
Unassigned

Status

()

Toolkit
Storage
10 years ago
10 years ago

People

(Reporter: myk, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

10 years ago
Bound parameters are best in most cases, but they are overcomplicated to use in some, like a query whose WHERE clause has an IN condition that references a dynamic number of strings, i.e.:

UPDATE foo SET bar = 'baz' WHERE bar IN ('a', 'b', 'c', ...);

If we had a method that directly escaped (and quoted) a string, generating this query in JS would be as simple as:

"UPDATE foo SET bar = 'baz' WHERE bar IN (" + array.map(escape).join(", ") + ")"

Per the C language interface to SQLite version 2 <http://sqlite.org/c_interface.html>, which also applies to version 3, I think, one can use sqlite_mprintf with the %q and %Q extensions to escape and escape+quote strings, respectively.

It might even be possible to use sqlite_vmprintf to escape multiple strings at once, although it's not clear what it outputs (perhaps a comma-delimited list of quoted strings?).
`
You need to log in before you can comment on or make changes to this bug.