Am 31.12.2009 um 18:14 schrieb Kees Nuyt: > In short: if you use the sqlite3_prepare*() and > sqlite3_bind*() interface you don't have to escape single > quotes. Only if you compose a complete SQL statement for the > deprecated sqlite3_exec() call and using the sqlite3 command > line tool, where single quotes are used for text literals, > you'd have to worry about escaping single quotes
Actually, even when using sqlite3_prepare*(), you'll have to escape quotes if you're _not_ binding all parameters. Obviously, this is very similar to using sqlite3_exec(), but the above quote makes it sound like using sqlite3_prepare*() might be sufficient to avoid escaping... It's actually the use of sqlite3_bind*() that makes escaping unnecessary... </jum> _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
