SQLite insert into table -> Parameter count mismatch

**ChrisW67** · 12th June 2014, 11:00

Originally Posted by KeineAhnung

Parameterization looks odd to me. Is there an advantage doing this or is this just a personal style thing?

It has the advantage that you do not have to worry about quoting values, the query is easier to read and validate, and it is clear what values are inserted into the query. The first point has substantial security advantages in the face of user-input. Consider this example:

Qt Code:

Switch view

QString qry = "UPDATE passwordTable SET password ='" + newPassword + "' WHERE userName = '" + userInput +"' ";

QString qry = "UPDATE passwordTable SET password ='" + newPassword + "' WHERE userName = '" + userInput +"' ";

To copy to clipboard, switch view to plain text mode

when the malicious user has provided this as userInput:

Qt Code:

Switch view

dummy' OR 'x' = 'x

dummy' OR 'x' = 'x

To copy to clipboard, switch view to plain text mode

the query becomes:

Qt Code:

Switch view

UPDATE passwordTable SET password ='opensesame' WHERE userName = 'dummy' OR 'x' = 'x'

UPDATE passwordTable SET password ='opensesame' WHERE userName = 'dummy' OR 'x' = 'x'

To copy to clipboard, switch view to plain text mode

which is obviously a bad thing. Using parameters avoids this possibility.

Thread: SQLite insert into table -> Parameter count mismatch

Thread Tools

Search Thread

Display

Threaded View

Re: SQLite insert into table -> Parameter count mismatch

Similar Threads

Using bound values in insert gives "parameter count mismatch" error in SQLite

How to find the ROWID after an insert into an SQLite table?

Insert unicode in SQlite

Sql problem - parameter mismatch count

Parameter count mismatch in create table statement

Tags for this Thread

Bookmarks

Bookmarks

Posting Permissions