问题
Consider the following code
char bar[] = "hello world \"One\", two, 'three'";
char *zSQL = sqlite3_mprintf("INSERT INTO stuff (`foo`) VALUES ('%q');", bar ) ;
sqlite3_exec(db, zSQL, 0, 0, 0);
sqlite3_free(zSQL);
/* Produces a exception error */
The problem is that the quotes are not getting escaped in the SQL statement. If I was programing in PHP I would use a function like sqlite_escape_string to escape the strings before inserting them in the SQL query but I can not seem to find the equivalent function in C++. I could build my own sqlite_escape_string like function but i am sure there has to be one already written/tested...
Is there a sqlite_escape_string() equivalent function for c++?
回答1:
No. Use bound parameters.
See:
http://www.sqlite.org/c3ref/prepare.html
http://www.sqlite.org/c3ref/bind_blob.html
回答2:
You have the same question that many have posed. There isn't anything built in.
The better solution to string concatenation would be to bind parameters, which sidesteps the escaping issue.
来源:https://stackoverflow.com/questions/4820374/sqlite-escape-string-c