On 3/20/06, Tito Ciuro <[EMAIL PROTECTED]> wrote: > If I escape single quotes (that is, from "'" to "''"), then > everything is fine. I usually do that when I want to query for a > value that contains a quote (i.e. O'Rourke). > > However, why do I have to manipulate the string value to be stored? > Shouldn't SQLite allow me to store any string I want? SQLite does allow you to store any string. There are two ways to do it properly. You can either embed you string in your SQL statement with all single quotes in string escaped. Which is what you did here. Though this is not the recommended way. Recommended way to do it is to use sqlite3_prepare()/sqlite3_bind_text()/sqlite3_step() instead of escaping. When you use prepared statements you can bind your string to a parameter in that prepared statement without escaping it.
Difference is that when you embed your string inside SQL statement you have to escape string first to enable SQLite parser to understand your SQL. If you don't escape it, you usually get some "Unrecognized token" error. Or even worse, you can be vulnerable to SQL injection. But if you use prepared statements with only a placeholder for your string then SQLite just leaves that place "empty" and waits for you to bind some value to it later, after call to sqlite3_prepare(). But if you do it like this, then you don't have to escape your string because you're already past the SQLite parser and single quotes in your string are not important anymore since SQLite parser will never see them. -- Nemanja Corlija <[EMAIL PROTECTED]>
