Kavita Raghunathan wrote: > sprintf(SqlStr, "INSERT INTO %s (AttrName, AttrEnum, AttrType, > AttrValue, ReadWrite, Entity_id) VALUES('%s', %d, %d, '%s', %d, > %d);", tbl_name, db[i]->attr_name, db[i]->attr_num, db[i]->attr_type, > db[i]->attr_value, db[i]->attr_src, entity_id);
Don't do that. What if attr_name contains a ' character (or, as you say, some other weird character)? Instead, prepare a statement with sqlite variables, and bind values to those variables using the sqlite3_bind* family of interfaces: http://sqlite.org/c3ref/bind_blob.html I have no specific knowledge on whether sqlite handles null characters within the variables' values--but if I were a bettin man, I'd bet that it handles them quite cleanly. -- Eric A. Smith I think there's a world market for about five computers. -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943 _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users