Objective c FMDB避免sql注入
我正在做一个基于原始sqlite的项目,我已经把它改成了FMDB 所有查询都已参数化 这里有一个这样的例子:Objective c FMDB避免sql注入,objective-c,sqlite,fmdb,Objective C,Sqlite,Fmdb,我正在做一个基于原始sqlite的项目,我已经把它改成了FMDB 所有查询都已参数化 这里有一个这样的例子: NSString* sqlQuery = [NSString stringWithFormat:@"SELECT COUNT(*) FROM Contacts WHERE FirstName='%@' AND LastName='%@'", fName,lName]; 然后我将其传递给我的助手类: NSInteger count = [[[DB sharedManager] exe
NSString* sqlQuery = [NSString stringWithFormat:@"SELECT COUNT(*) FROM Contacts WHERE FirstName='%@' AND LastName='%@'", fName,lName];
NSInteger count = [[[DB sharedManager] executeSQL:sqlQuery] integerValue];
- (NSString*)executeSQL:(NSString *)sql
{
__block NSString *resultString = @"";
[_secureQueue inDatabase:^(FMDatabase *db) {
FMResultSet *results = [db executeQuery:sql];
while([results next]) {
resultString= [results stringForColumnIndex:0];
}
}];
return resultString;
}
NSInteger count = [[[DB sharedManager] executeSQL:sqlQuery] integerValue];
- (NSString*)executeSQL:(NSString *)sql
{
__block NSString *resultString = @"";
[_secureQueue inDatabase:^(FMDatabase *db) {
FMResultSet *results = [db executeQuery:sql];
while([results next]) {
resultString= [results stringForColumnIndex:0];
}
}];
return resultString;
}
sql = @"SELECT COUNT(*) FROM Contacts WHERE FirstName=? AND LastName=?"
[db executeQuery:sql,firstParam, secondParam]
NSString* sqlQuery = [NSString stringWithFormat:@"SELECT COUNT(*) FROM Contacts WHERE FirstName=? AND LastName=?", fName,lName];
NSString* sqlQuery = [NSString stringWithFormat:@"SELECT COUNT(*) FROM Contacts WHERE FirstName='%@' AND LastName='%@'", fName,lName];
sql = @"SELECT COUNT(*) FROM Contacts WHERE FirstName=? AND LastName=?"
[db executeQuery:sql,firstParam, secondParam]
NSString* sqlQuery = [NSString stringWithFormat:@"SELECT COUNT(*) FROM Contacts WHERE FirstName=? AND LastName=?", fName,lName];
如果您希望避免SQL注入问题,则决不能使用
stringWithFormat所以你别无选择,只能更换你的助手。让它接受两个参数而不是一个。第一个是正确使用
?stringWithFormat所以你别无选择,只能更换你的助手。让它接受两个参数而不是一个。第一个是正确使用
?