Kavita Raghunathan wrote: 

> sprintf(SqlStr, "INSERT INTO %s (AttrName, AttrEnum, AttrType, 
> AttrValue, ReadWrite, Entity_id) VALUES('%s', %d, %d, '%s', %d, 
> %d);", tbl_name, db[i]->attr_name, db[i]->attr_num, db[i]->attr_type, 
> db[i]->attr_value, db[i]->attr_src, entity_id); 

Don't do that.  What if attr_name contains a ' character (or, as you
say, some other weird character)?

Instead, prepare a statement with sqlite variables, and bind values to
those variables using the sqlite3_bind* family of interfaces:

I have no specific knowledge on whether sqlite handles null characters
within the variables' values--but if I were a bettin man, I'd bet that
it handles them quite cleanly.

Eric A. Smith

I think there's a world market for about five computers.
    -- attr. Thomas J. Watson (Chairman of the Board, IBM), 1943
sqlite-users mailing list

Reply via email to