Roger:
Thanks for your input.
Really already I was using the suggested functions, but for some reason, the
sections with strings where user inputs can be adds single quotes, have
maintained that legacy code.
Any way thanks again,althought I need verify that the "bind" method does not
have problems with that kind of strings.
A.J. Millan
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A.J.Millan wrote:
> Actually I have an application that regularly uses expresions as:
>
> char *zUserName = "My name";
> char *zSQL = sqlite3_mprintf ("INSERT INTO table VALUES('%q')", zUserName);
Why aren't you using bound parameters? It is far harder to do what you are
doing above, less efficient and has the potential for SQL injection attacks
(unless you remembered %q everywhere!)
These are the functions you need:
http://www.sqlite.org/c3ref/bind_blob.html
Roger
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
