❔ Escape ' character in parameter in multiple methods
I have an existing sqlite database service with like 30 methods (its an older app).
Most of them have one or two parameters like
string code
which is then transformed into the sqlite query. The thing is, if this code parameter has a single quote ' in it, the query fails (obv), so I need to escape it.
I can escape it with additional ', so adding something like code = code.replace("'", "''")
would technically work fine (would be better to add some addition verification if there are already two '').
Is there any better way to do this, than just adding this line or two into every method?2 Replies
The one and only proper solution is using prepared statements/parametrized queries.
If a stray
'
in a parameter you pass to the query causes issues, that means the code is open for SQL injection and should be taken down until it's fixedWas this issue resolved? If so, run
/close
- otherwise I will mark this as stale and this post will be archived until there is new activity.