In addition to performance, consider bugs and security. Read up on: http://en.wikipedia.org/wiki/SQL_injection
I strive to always use the bind version of whatever database API I'm using, because constructing SQL leads to this kind of problem often enough that it's just not worth it. That's not even considering how often sprintf itself leads to security bugs! Additionally, even when you aren't using user data to construct the SQL (so there's no direct exploit), constructed SQL statements tend to be more prone to bugs over time. If it is routinely more convenient to construct SQL strings than it is to use bind-style APIs, you should perhaps consider writing a wrapper API to make things easier. -scott On Thu, May 14, 2009 at 10:29 AM, Joanne Pham <[email protected]> wrote: > Hi all, > I would like to update the database and there are two ways to do it and I > were wondering which way is better: > 1) Way 1 - used the sqlite3_preare, sqlite3_bind , sqlite3_step ... > q = "UPDATE logTable SET stale = ? WHERE id = ?"; > rc = sqlite3_prepare(updateSqli q, -1, &pstmt, 0); > if (rc != SQLITE_OK) { > fprintf(stderr, "Error prepare: %s\n", __FUNCTION__); > return -1; > } > ret = sqlite3_bind_int(pstmt, 1, 0); > ret = sqlite3_bind_int64(pstmt, 2, rpid); > rc = sqlite3_step(pstmt); > rc = sqlite3_reset(pstmt); > rc = sqlite3_finalize(pstmt); > > 2) Way #2 > q = "UPDATE logTable SET stale = 1 WHERE id = "; > sprintf(sqlStmt,"%s%d ",q,rpid); > sqlSt = sqlite3_exec(pDb, sqlStmt, NULL, 0, &errMsg) ; > if (sqlSt != SQLITE_OK ) { > // print out error message > sqlite3_free(errMsg); > } > ... > > Which way is better in term of performance. > Thanks > JP > > > > _______________________________________________ > sqlite-users mailing list > [email protected] > http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users > _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
