Hi,
The delimiter thing isn't relevant with the prepared statements interface. The bound parameter is known to be a data item, not an SQL delimiter like the SQL quote character (').
Yeah, I tried to do some SQL injection, and it didnt work :)
You should be safe using strlen rather than subtracting 1 from it. strlen() returns the number of characters in a string, not including the terminating NULL. That's what sqlite3_prepare() is expecting.Actually, the part about -1 would be from the docs:
"If the next argument, "nBytes", is less than zero, then zSql is read up to the first nul terminator."
Wouldnt it be simpler to just use -1 (or some other negative integer) instead of sizeof() or strlen() then (for sqlite3_prepare(), at least)?
I'm glad that my article was of some use to you in using the sqlite_prepare() interface.
Yep, thanks for writing it, Clay.
Eugene Wee
