SQLQuery3.SQL.Text:=('UPDATE :TableParam SET :FieldParam =:CompletedParam WHERE ID =:RowParam;');
stmt := db.prepare('pragma table_info(' + TableParam + ')') // String construction ok since we have verified that TableParam is good
stmt.execute()
cid name type notnull dflt_value pk
--- ---------- -------- ------- ---------- --
0 id integer 1 1
1 key varchar 1 0
2 title varchar 1 0
3 country_id integer 0 0
4 club boolean 1 'f' 0
5 created_at datetime 1 0
6 updated_at datetime 1 0
Here's the full code. SQLQuery2 loads various things from the HandOffs table, but so far I've only implemented the code to read the 'Element' field. There is also a field in that table that stores the name of the required table for the update statement, but as I haven't done it yet I've just made the table param refer to the 'Custom1' table. The ShowMessage box in the middle of the code is just a test to confirm that the field name is being read correctly and passed on to the ProtocolElement variable.
So in a nutshell, I'm loading table and field names from the HandOffs table, and then updating that table and field using SQLQuery3.
To avoid injection attack, should still verify that TableParam and FieldParam are valid. First, query the table sqlite_master for the table name:Whatever for?
*snip*
If the query is good, meaning the table named by TableParam exists, then check FieldParam via TableParam's metadata using the pragma table_info(). Pseudo code below, as I don't have any handy Pascal code demonstrating the same:
*snip*
Programmatically, the pragma's output is itself an SQLite 'result set', and your application code then verifies the 'name' and 'type' columns for FieldParam using said output.
After determining that the column FieldParam exists and is of the expected type, then you construct your query string.