// This returns a count of 1, so the table does exist, and I know the user exists becaue I have just added him in... Int32 tableCount = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable'", ps).Count; //but when I try this the count is 0....what am I doing wrong? Int32 tableCount2 = database.Query(map, "SELECT * FROM sqlite_master WHERE type = 'table' AND name = 'UserTable' AND NameOfUser = '" + personsName + "'", ps).Count; t
rying to see if the user exists…what am I doing wrong?
Advertisement
Answer
SQL Injections
First, I want to say that this code is vulnerable to SQL Injections, .
Why does the query not work?
Because ‘NameOfUser’ is not a column of sqlite_master, but it is a column of UserTable, I suppose.
sqlite_master consists of the following columns:
type name tbl_name rootpage sql
How can I make it work?
Int32 tableCount2 = database.Query(map, "SELECT * FROM UserTable WHERE NameOfUser = '" + personsName + "'", ps).Count;
But, as said before, you better use C# SQLite prepared statements to prevent SQL injection, check this: C# SQLite tutorial and search for ‘prepared’
Please mark as answer when it worked.
CU