Home/ Questions/Q 8045169
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-05T05:27:36+00:00

I am deleting all data from the table by using below code snippet NSString

  • 0

I am deleting all data from the table by using below code snippet

NSString *deleteStatementNS = [NSString stringWithFormat:
                               @"DELETE FROM %@",[tableNames objectAtIndex:i]];

const char *prepareDelete ="DELETE FROM '?'";
const char *tbleName = [[tableNames objectAtIndex:i] UTF8String];
if (sqlite3_prepare_v2(dBase, prepareDelete, -1, &dbpreprdstmnt, NULL) == SQLITE_OK) 
{
    dbrc = sqlite3_bind_text(dbpreprdstmnt, 1, tbleName, -1, SQLITE_TRANSIENT);
    dbrc = sqlite3_step(dbpreprdstmnt);

    sqlite3_finalize(dbpreprdstmnt);
    dbpreprdstmnt = NULL;
} 
else 
{
    NSLog(@"Error %@",[NSString stringWithCString:sqlite3_errmsg(dBase) encoding:NSUTF8StringEncoding]);
}

But unfortunately the delete is not happening I am getting error as Error no such table: ?
I am not able to prepare the statement only. But if i use prepare statement like below 

const char *prepareDelete =[deleteStatementNS UTF8String];

This is working absolutely fine. I am not able to bind the variable to stop SQL injection attacks.May I know the reason behind this error please. I found many places where this code snippet is reported as its is working fine.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am not able to bind the variable to stop SQL injection attacks.

    Table names cannot be bound as variables.

    To avoid SQL injection attacks don’t let your users specify which table names will be deleted. Make sure the table names come from a trusted source (e.g. hardcoded in your program).

    In fact it’s a really bad idea to delete all data in a table when the table name comes from an untrusted source. Even if you prevent SQL injection attacks, an attacker could still delete data you didn’t want them to delete.

    • 0