I am trying to create a table in a SQLite database based on user provided text. Everything worked correctly, except when I tried to add an apostrophe inside the text (which should have been the new table name). After researching, I decided that what I was doing was not best practice, as it was vulnerable to injection:
const char *sqlStr = [[NSString stringWithFormat:@"CREATE Table '%@' ('Name' 'char(50)','ID' 'integer')",theString]UTF8String];
So, I'm trying to find a way to include apostrophes in the table name and safely embed the value in the database. I read about binding values, but is this possible with the CREATE TABLE statement? Or only when you insert data into an existing table?
Thank you for your help.
source
share