Kavita Raghunathan wrote:
> sprintf(SqlStr, "INSERT INTO %s (AttrName, AttrEnum, AttrType,
> AttrValue, ReadWrite, Entity_id) VALUES('%s', %d, %d, '%s', %d,
> %d);", tbl_name, db[i]->attr_name, db[i]->attr_num, db[i]->attr_type,
> db[i]->attr_value, db[i]->attr_src, entity_id);
Don't do that. What if attr_name contains a ' character (or, as you
say, some other weird character)?
Instead, prepare a statement with sqlite variables, and bind values to
those variables using the sqlite3_bind* family of interfaces:
http://sqlite.org/c3ref/bind_blob.html
I have no specific knowledge on whether sqlite handles null characters
within the variables' values--but if I were a bettin man, I'd bet that
it handles them quite cleanly.
--
Eric A. Smith
I think there's a world market for about five computers.
-- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
