问题
How to write prepared statements for SQLite in iPhone? Is it possible to do SQL Injection in iPhone apps that use sqlite db?
回答1:
I would suggest that if you're starting to develop an iPhone app now you should probably use Core Data rather than coding directly to SQLite. Having said that, creating a prepared statement is simple and well documented:
sqlite3_stmt* statement_handle;
sqlite3_prepare_v2(db, "select a,b from Table where c = ?", -1, &statement_handle, NULL);
And yes, it is possible to have SQL injection attacks in a badly coded application. Using prepared statements goes a long way to avoid it.
回答2:
Along with Core Data, I'd also recommend looking at a higher level iPhone SQLite library such as: FMDB
来源:https://stackoverflow.com/questions/1187154/how-to-write-prepared-statements-for-sqlite-in-iphone