Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 a...@zator.com wrote: > I need verify that the "bind" method does not have problems with that kind of > strings. The method to bind a string has no problem with any kind of string. Behind the scenes it does not convert what you supply into some sort of formatted string. Whatever you bind is what goes directly into the database - there is no interpretation, tidying, escaping or anything else. Heck you can even include embedded nulls if you want! Roger -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpyqV8ACgkQmOOfHg372QQOzACgrdHGDyUewW4k40rJjLQP8ABr rMoAmwZ+rjNy+X9qn6ocsPvcyvUIyMBp =eqR5 -END PGP SIGNATURE- ___ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions
Roger:
Thanks for your input.
Really already I was using the suggested functions, but for some reason, the
sections with strings where user inputs can be adds single quotes, have
maintained that legacy code.
Any way thanks again,althought I need verify that the "bind" method does not
have problems with that kind of strings.
A.J. Millan
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A.J.Millan wrote:
> Actually I have an application that regularly uses expresions as:
>
> char *zUserName = "My name";
> char *zSQL = sqlite3_mprintf ("INSERT INTO table VALUES('%q')", zUserName);
Why aren't you using bound parameters? It is far harder to do what you are
doing above, less efficient and has the potential for SQL injection attacks
(unless you remembered %q everywhere!)
These are the functions you need:
http://www.sqlite.org/c3ref/bind_blob.html
Roger
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
Re: [sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
A.J.Millan wrote:
> Actually I have an application that regularly uses expresions as:
>
> char *zUserName = "My name";
> char *zSQL = sqlite3_mprintf ("INSERT INTO table VALUES('%q')", zUserName);
Why aren't you using bound parameters? It is far harder to do what you are
doing above, less efficient and has the potential for SQL injection attacks
(unless you remembered %q everywhere!)
These are the functions you need:
http://www.sqlite.org/c3ref/bind_blob.html
Roger
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpx9jcACgkQmOOfHg372QSlIgCgxyWJHzHtQQHhiceb9eciQysy
Z/IAoIsxN3X20AY3L8YhD+tk3vW36s1N
=LZ6U
-END PGP SIGNATURE-
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
[sqlite] Looking for a w_char alternative to the sqlite3_mprintf famili of functions
Hi list:
Actually I have an application that regularly uses expresions as:
char *zUserName = "My name";
char *zSQL = sqlite3_mprintf ("INSERT INTO table VALUES('%q')", zUserName);
Because of internationalization I need use Unicode instead of ASCII chars:
w_char *zwUserName = L"My Chinese Name";
w_char *zwSQL = sqlite3_x ("INSERT INTO table VALUES('%q')", zwUserName);
Some suggestion?
Thanks in advance
A.J.Millan
___
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
