Prevent SQL injection C++

Asked Mar 28 '21 at 14:30

Active Mar 28 '21 at 14:32

Viewed 1,202 times

bool run_query(sqlite3* db, const std::string& sql, std::vector< user_record >& records)
    {
    
      // clear any prior results
      records.clear();
    
      char* error_message;
      if(sqlite3_exec(db, sql.c_str(), callback, &records, &error_message) != SQLITE_OK)
      {
        std::cout << "Data failed to be queried from USERS table. ERROR = " << error_message << std::endl;
        sqlite3_free(error_message);
        return false;
      }
    
      return true;
    }

How do I fix this method to fail and display an error if there is a suspected SQL Injection?

edited Mar 28 '21 at 14:32

Daniel A. White

187,200
47
362
445

asked Mar 28 '21 at 14:30

Ryan O'Connor

1

Does this answer your question? [C++ And SQLite - How to execute a query formed by user input?](https://stackoverflow.com/questions/36815112/c-and-sqlite-how-to-execute-a-query-formed-by-user-input) – Daniel A. White Mar 28 '21 at 14:33
1

The only way this code could display such an error is if it manually parses the `sql` string to see what it is actually doing, looking for suspected attack vectors, multiple statements, etc. Otherwise, simply don't blindly run SQL strings like this to begin with, use [prepared statements](https://sqlite.org/c3ref/stmt.html) instead, which are not subject to injection attacks. – Remy Lebeau Mar 28 '21 at 17:12

Prevent SQL injection C++

0 Answers0