Hi Ragha, C:\Joinerysoft\JMS\TestArea>sqlite3 tst.db SQLite version 3.4.0 Enter ".help" for instructions sqlite> sqlite> create table tst( c1 integer, c2 test ); sqlite> insert into tst values( 1, '44' ); sqlite> insert into tst values( 2, '442' ); sqlite> insert into tst values( 3, '4454' ); sqlite> sqlite> select * from tst where '4429845' > cast( c2 as text ) order by c2 desc limit 1; 2|442
Maybe not the most efficient way, but seems to give requested result... Rgds Simon On 06/08/07, RaghavendraK 70574 <[EMAIL PROTECTED]> wrote: > Hi, > > How to form the SQL query(in SQLite) for the following problem below > > table: > 44 > 442 > 4454 > > Input String: 4429845 > > Expected output from SQL query: 442 > > regards > ragha > > > ****************************************************************************************** > This email and its attachments contain confidential information from HUAWEI, > which is intended only for the person or entity whose address is listed > above. Any use of the information contained herein in any way (including, but > not limited to, total or partial disclosure, reproduction, or dissemination) > by persons other than the intended recipient(s) is prohibited. If you receive > this e-mail in error, please notify the sender by phone or email immediately > and delete it! > > ***************************************************************************************** > > ----- Original Message ----- > From: Trevor Talbot <[EMAIL PROTECTED]> > Date: Monday, August 6, 2007 2:39 pm > Subject: Re: [sqlite] a c++ newbie question > > > On 8/5/07, Stephen Sutherland <[EMAIL PROTECTED]> wrote: > > > > > I am trying to treat a string before passing it through my SQL > > statement into the database. > > > > > > I know that a single apostrophe will break the SQL statement. > > > So I have to replace them all to double apostrophes. > > > > > But are there any other characters that will break the SQL > > statement ? > > > > > I actually have a situation where the user creates an XML file > > and the contents of the XML file gets dumped in the database. So > > there is opportunity for a hacker to create an XML file which has > > some SQL statements in it like ' DELETE TABLE X ; > > > > > > So any thoughts or existing code would be great. > > > > Don't attempt to treat strings at all. Instead, always use the > > parametric binding API for whatever database you're using. You > > prepare statements like "INSERT INTO table VALUES (?)", and then pass > > in the input string as a separate argument for the database engine to > > put in place of the "?". This avoids the entire problem of escaping > > special characters, and you don't need to treat your input data > > specially. > > > > For sqlite, use sqlite3_prepare_v2() and sqlite3_bind_text(). > > http://sqlite.org/capi3.html should get you up to speed on the > > process, and browse through the other documents on the site for more > > information. > > > > ------------------------------------------------------------------- > > ---------- > > To unsubscribe, send email to [EMAIL PROTECTED] > > ------------------------------------------------------------------- > > ---------- > > > > > > ----------------------------------------------------------------------------- > To unsubscribe, send email to [EMAIL PROTECTED] > ----------------------------------------------------------------------------- > > ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] -----------------------------------------------------------------------------
