Hi, How to form the SQL query(in SQLite) for the following problem below
table: 44 442 4454 Input String: 4429845 Expected output from SQL query: 442 regards ragha ****************************************************************************************** This email and its attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient(s) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! ***************************************************************************************** ----- Original Message ----- From: Trevor Talbot <[EMAIL PROTECTED]> Date: Monday, August 6, 2007 2:39 pm Subject: Re: [sqlite] a c++ newbie question > On 8/5/07, Stephen Sutherland <[EMAIL PROTECTED]> wrote: > > > I am trying to treat a string before passing it through my SQL > statement into the database. > > > > I know that a single apostrophe will break the SQL statement. > > So I have to replace them all to double apostrophes. > > > But are there any other characters that will break the SQL > statement ? > > > I actually have a situation where the user creates an XML file > and the contents of the XML file gets dumped in the database. So > there is opportunity for a hacker to create an XML file which has > some SQL statements in it like ' DELETE TABLE X ; > > > > So any thoughts or existing code would be great. > > Don't attempt to treat strings at all. Instead, always use the > parametric binding API for whatever database you're using. You > prepare statements like "INSERT INTO table VALUES (?)", and then pass > in the input string as a separate argument for the database engine to > put in place of the "?". This avoids the entire problem of escaping > special characters, and you don't need to treat your input data > specially. > > For sqlite, use sqlite3_prepare_v2() and sqlite3_bind_text(). > http://sqlite.org/capi3.html should get you up to speed on the > process, and browse through the other documents on the site for more > information. > > ------------------------------------------------------------------- > ---------- > To unsubscribe, send email to [EMAIL PROTECTED] > ------------------------------------------------------------------- > ---------- > > ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------
