How can I escape sqlite3 query parameters in bash?

I have a script that boils down to this right now:

#!/bin/bash

SEARCH_PARAM="$1"
SQLITE3_DB="$2"

# Don't inject me please :(
sqlite3 "$SQLITE3_DB" "SELECT foo FROM Bar WHERE bundleId='$SEARCH_PARAM';"

A glaring problem is that the $SEARCH_PARAM value is very vulnerable to SQL injection. Can I fix that from the bash script or do I need to drop in another scripting language, like Python, to get access to query parameters?

How can I escape characters in SQLite via bash shell? is similar but it has fixed string arguments.

Solution

In SQL strings, the only character that needs escaping is the single quote, which must be doubled.

This can be done by using pattern substitution in the parameter expansion:

sqlite3 "..." "... bundleId = '${SEARCH_PARAM//\'/\'\'}';"

(Non-standard SQL implementations like MySQL might have additional characters that need escaping.)

increment a column and line number value using bash
10 second delay between login and shell prompt.
Can you assign associative arrays to variables in bash?
How to make find terminate when an -execdir script fails?
Exporting an array in bash script
check if a file is jpeg format using shell script
Count number of lines in a non binary file (Like a CSV or a TXT) file in terminal
Closing screen by bash script
Calling a bash script from Gitlab CI
AWK: backslash as one of the many field seperators
Warning: Could not start program with arguments. Warning: Exec format error
How to compare two tab-separated files and mark 'Fail' if col6 of file1 matches col2 of file2, else 'Pass'?
How to pass all arguments passed to my Bash script to a function of mine?
bulk operation with reformat.sh (bbmap)
How to rename file with bash by adding first symbol - dot?
How to pass a string with spaces as http POST data using curl
How can I use source in golang's os.StartProcess arguments?
Sub-shell differences between bash and ksh
linux script that monitors file changes within folders (like autospec does!)
How to check if running as root in a bash script
How do you write lifecycle configurations for SageMaker on windows?
I need a way to automate an existing script which contains DIALOG
why indirect variable reference not work in bash dictionary
The dig command changes its behaviour regarding umlauts if used with a pipe
find unique entries in one field across two CSV files with shell and friends
Running bash scripts with npm
"echo" output different answer by sh and bash
Linux - Bash - Get $releasever and $basearch values?
When installing Rust toolchain in Docker, Bash `source` command doesn't work
Append some text to the end of multiple files in Linux