Hi again,
> And make that > #define SEX "M"
I have only worked with databases in PHP, and there SQL injection is a concern.
I could hardcode the query as:
SELECT name FROM children WHERE sex='M';
SELECT name FROM children WHERE sex='F';
And they work when prepared separately, of course.
So is:
SELECT name FROM children WHERE sex=:sex;
correct when what is bound to ":sex" is not delimited?
So either pass sizeof(TESTSTR)-1 which is the "fast" way since the calculation of the length is determined at compile time; or pass strlen(TESTSTR) which calculates the length of the string at run time. sizeof requires subtracting one to account for the null terminator byte which sizeof includes but isn't wanted in sqlite3_bind_text().
On the sizeof vs strlen issue, the docs were not clear to me whether I should pass number of bytes or number of characters. It isnt even explicit that the argument is related to the string passed.
I choose sizeof because sqlite3_prepare()'s nBytes argument asked for "Length of zSql in bytes", so I presumed that this requirement for bytes would be consistent.
Anyway, I made the adjustment to use sizeof(SEX)-1, and modified to #define SEX "M", and it now works after I recompiled :)
I did try those changes myself yesterday, but it so happened that everytime I tried one, I didnt try the other :o
But I'm still curious as to the delimiter thing, hope someone can clarify.
Oh, and also, does sqlite3_prepare() ask for the length of the statement string in bytes including the null terminator, or excluding it? Or is it safe to use -1 most of the time?
Thanks, Eugene
