0

I am trying to bind wide string to sqlite3 prepared statement. I was trying to follow this answer, but it didn't work

    const auto sql_command = L"SELECT * FROM register_names WHERE name is ?VVV";
    sqlite3_stmt *statement;
    sqlite3_prepare16(db, sql_command, -1, &statement, NULL);
    wstring p = ObjectAttributes->ObjectName->Buffer;
    sqlite3_bind_text16(statement, 1,  p.data(), -1, SQLITE_TRANSIENT);
    printf("sql command: %s\n", sqlite3_sql(statement));
    auto data = "Callback function called";
    char *zErrMsg = nullptr;

    auto rc = sqlite3_exec(db,  sqlite3_sql(statement), callback, (void *) data, &zErrMsg);

I tried using 0 or 1 in sqlite3_bind_text16 but I either get null or original string with no substitution. What am I doing wrong?

Improve this question
0

1 Answer 1

Reset to default
2

In your SQL statement, change is to =, and change ?VVV to just ?.

More importantly, per the documentation, sqlite3_exec() is not the correct way to execute a sqlite3_stmt you have prepared. You need to use sqlite3_step() (and sqlite3_finalize()) instead.

Try this:

const auto sql_command = u"SELECT * FROM register_names WHERE name = ?";

sqlite3_stmt *statement;
auto rc = sqlite3_prepare16(db, sql_command, -1, &statement, NULL);
if (rc != SQLITE_OK) ...

rc = sqlite3_bind_text16(statement, 1, ObjectAttributes->ObjectName->Buffer, ObjectAttributes->ObjectName->Length, SQLITE_TRANSIENT);
if (rc != SQLITE_OK) ...

printf("sql command: %s\n", sqlite3_sql(statement));

while ((rc = sqlite3_step(statement)) == SQLITE_ROW)
{
    // process row as needed using sqlite3_column_XXX() functions...
}

if (rc != SQLITE_DONE) ...

rc = sqlite3_finalize(statement);
if (rc != SQLITE_OK) ...
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

would prepared statement be enough to prevent sql injection? or in c++ prepared statements are different?
@ntdllnewbie.dll "would prepared statement be enough to prevent sql injection?" - yes. That is one of the benefits of using prepared statements. Another is performance.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.