You really should be binding the data values to the prepared statement, not injecting user values into the SQL statement. Unless of course you go to the extrodinary lenghts requires to sanitize your inputs.
https://xkcd.com/327/ You should be doing sqlite_prepare_v2 on a statement of the form: INSERT INTO posts VALUES (NULL, ?, ?) and then binding with sqlite_bind_text *val1 and *val2 to the two parameters then calling sqlite_step to execute the statement. > > Hi Guys, > > I'm working on a static site generator and want to use SQLite to store > metadata. I'm using C and a small library to get the majority of the > work > done. My question is, do you have any suggestions or know where to find > more lore on how to nicely embed SQL in a program like this? > > Here is an example: > char query[1024]; > char *val1, *val2, *qs = "INSERT INTO posts VALUES ( NULL, '%s', '%s' ); > /* initialize val1 and val2... */ > snprintf(query, 1023, qs, val1, val2); > /* open database, bind statement, etc. */ > sqlite3_exec(query); > > > The example is not nearly complete, but I'm almost certain there's a > cleaner way to seperate the SQL from the rest of the code. Before I go > come up with my own thing, I wanted to see if there perhaps some better > solutions already out there. > > Antonio R. Collins II > ramar.collins at gmail.com > http://ramarcollins.com > _______________________________________________ > sqlite-users mailing list > sqlite-users at mailinglists.sqlite.org > http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
