在使用sql语句写入字符串数据时,
由于字符数据中可能隐含转义字符,
如果对于他们不作处理,执行时,exec函数将不识别,或者造成注入攻击
这个时候sqlite_mprintf(),
应该就是必须使用了,配合‘%q’将字符数据中的转义字符,直接转换,
就不用担心字符串中含有‘单引号,这样造成sql语句不识别的问题。
For example,assume the string variable zText contains text as follows:
char *zText = "It's a happy day!";
One can use this text in an sql statement as follows:
char *zsql = sqlite3_mprintf("INSERT INTO table VALUES('%q')",zText);
sqlite3_exec(db,zsql,0);
sqlite3_free(zsql);
Because the %q format string is used,the '\'' character in zText is escaped and the sql generated is as follows:
INSERT INTO table1 VALUES('It''s a happy day!')
This is correct. Had we used %s instead of %q,the generated sql would have looked like this:
INSERT INTO table1 VALUES('It's a happy day!')