subject:"RE\: \[sqlite\] Passing Arguments to SQLite3 from C\+\+"

RE: [sqlite] Passing Arguments to SQLite3 from C++

2007-04-09 Thread James Dennett

It's worth briefly, for the record, mentioning that the code using += is
what often causes SQL injection security issues, and that prepared
statements using parameters are the way to avoid that.

-- James

> -Original Message-
> From: nshaw [mailto:[EMAIL PROTECTED]
> Sent: Monday, April 09, 2007 3:29 PM
> To: sqlite-users@sqlite.org
> Subject: Re: [sqlite] Passing Arguments to SQLite3 from C++
> 
> 
> Thanks, Ted.  I'll give this a shot.
> Regards,
> 
> Nick.
> 
> Teg wrote:

[snip]

> > std::string m_sSQL = "insert into family (member,age) values
";
> > m_sSQL += "(" ;
> > m_sSQL +=  name;
> > m_sSQL +=  "," ;
> > m_sSQL +=  "age" ;
> > m_sSQL += ");" ;


-
To unsubscribe, send email to [EMAIL PROTECTED]
-

Re: [sqlite] Passing Arguments to SQLite3 from C++

2007-04-09 Thread nshaw


Thanks, Ted.  I'll give this a shot.
Regards,

Nick.

Teg wrote:
> 
> Hello nshaw,
> 
> std::string m_sSQL = "CREATE TABLE IF NOT EXISTS ";
> m_sSQL += g_pszTableName;
> m_sSQL += "(" ;
> m_sSQL +=   "AR_FilenameTEXT PRIMARY KEY,"
> ;
> m_sSQL +=   "AR_Subject TEXT ," ;
> m_sSQL +=   "AR_FromTEXT ," ;
> m_sSQL +=   "AR_Group   TEXT ," ;
> m_sSQL +=   "AR_GoodBlocks  INTEGER" ;
> m_sSQL += ");" ;
> 
> HRESULT hr = Exec
> (
> m_sSQL.c_str()
> );
> 
> //
> // Paramaterized insert with values bound later
> //
> std::string m_sSQL = "INSERT OR IGNORE INTO ";
> m_sSQL += g_pszTableName;
> m_sSQL += " VALUES (?,?,?,?,?,?,?);";
> 
> 
> std::string m_sSQL = "insert into family (member,age) values ";
> m_sSQL += "(" ;
> m_sSQL +=  name;
> m_sSQL +=  "," ;
> m_sSQL +=  "age" ;
> m_sSQL += ");" ;
> 
> 
> if you want to do straight C you need something like a sprintf or use
> SQLite's printf routines. I build everything in a C++ string then pass
> is using the ".c_str()" operator. I recommend parameterized inserts
> too.
> 
> C
> 
> 
> -- 
> Best regards,
>  Tegmailto:[EMAIL PROTECTED]
> 
> 
> -
> To unsubscribe, send email to [EMAIL PROTECTED]
> -
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Passing-Arguments-to-SQLite3-from-C%2B%2B-tf3548345.html#a9910750
Sent from the SQLite mailing list archive at Nabble.com.


-
To unsubscribe, send email to [EMAIL PROTECTED]
-

Re: [sqlite] Passing Arguments to SQLite3 from C++

2007-04-09 Thread John Stanton


nshaw wrote:

Help!

I've done everything I can think of to pass arguments to SQLite and nothing
is working.  If anyone has information on how to do it, I'd appreciate it. 
Here's a code segment:


#include 
#include 
#include 
#include "util.h" 
#include 

using namespace std;

int main (int argc, char **argv)
{
sqlite3 *db;// --- database 

char *zErr; 
int return_code;
char *sql;

// - variables for database input ---
char name[30];
int age;

// - create or open the database 
return_code = sqlite3_open("Family.db", ); 

// - error creating or opening the database - 
if (return_code) {

fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
sqlite3_close(db);  // --- close database
exit(1);
}

// - enter data into local variables --
cout << "Enter name: "; cin.getline (name, 30);
cout << "Enter age: "; cin >> age;

// - enter a record into the database -
sql = "insert into family (member,age) values (name, age)";  // 
HERE'S WHERE COMPILE BUSTS


The error is that no column exists called 'age.'  I've tried passing name
and age as pointers, as references, I've tried declaring them as pointers,
etc. and nothing can be passed.  If I pass absolute arguments ("Nick", 30)
it works.

Again, I appreciate any and all help!
Regards,

Nick.
You have to derefence your pointers like name so that you insert the 
value into the SQL statement.


-
To unsubscribe, send email to [EMAIL PROTECTED]
-

Re: [sqlite] Passing Arguments to SQLite3 from C++

2007-04-09 Thread Teg

Hello nshaw,

std::string m_sSQL = "CREATE TABLE IF NOT EXISTS ";
m_sSQL += g_pszTableName;
m_sSQL += "(" ;
m_sSQL +=   "AR_FilenameTEXT PRIMARY KEY," ;
m_sSQL +=   "AR_Subject TEXT ," ;
m_sSQL +=   "AR_FromTEXT ," ;
m_sSQL +=   "AR_Group   TEXT ," ;
m_sSQL +=   "AR_GoodBlocks  INTEGER" ;
m_sSQL += ");" ;

HRESULT hr = Exec
(
m_sSQL.c_str()
);

//
// Paramaterized insert with values bound later
//
std::string m_sSQL = "INSERT OR IGNORE INTO ";
m_sSQL += g_pszTableName;
m_sSQL += " VALUES (?,?,?,?,?,?,?);";


std::string m_sSQL = "insert into family (member,age) values ";
m_sSQL += "(" ;
m_sSQL +=  name;
m_sSQL +=  "," ;
m_sSQL +=  "age" ;
m_sSQL += ");" ;


if you want to do straight C you need something like a sprintf or use
SQLite's printf routines. I build everything in a C++ string then pass
is using the ".c_str()" operator. I recommend parameterized inserts
too.

C

Monday, April 9, 2007, 12:59:27 PM, you wrote:

n> Help!

n> I've done everything I can think of to pass arguments to SQLite and nothing
n> is working.  If anyone has information on how to do it, I'd appreciate it.
n> Here's a code segment:

n> #include 
n> #include   
n> #include 
n> #include "util.h"   
n> #include 

n> using namespace std;

n> int main (int argc, char **argv)
n> {
n> sqlite3 *db;// --- database   

n> char *zErr; 
n> int return_code;
n> char *sql;

n> // - variables for database input ---
n> char name[30];
n> int age;

n> // - create or open the database 
n> return_code = sqlite3_open("Family.db", );   

n> // - error creating or opening the database - 
n> if (return_code) {
n> fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
n> sqlite3_close(db);  // --- close database
n> exit(1);
n> }

n> // - enter data into local variables --
n> cout << "Enter name: "; cin.getline (name, 30);
n> cout << "Enter age: "; cin >> age;

n> // - enter a record into the database -
n> sql = "insert into family (member,age) values (name, age)";  // 
n> HERE'S WHERE COMPILE BUSTS


n> The error is that no column exists called 'age.'  I've tried passing name
n> and age as pointers, as references, I've tried declaring them as pointers,
n> etc. and nothing can be passed.  If I pass absolute arguments ("Nick", 30)
n> it works.

n> Again, I appreciate any and all help!
n> Regards,

n> Nick.



-- 
Best regards,
 Tegmailto:[EMAIL PROTECTED]


-
To unsubscribe, send email to [EMAIL PROTECTED]
-

RE: [sqlite] Passing Arguments to SQLite3 from C++

2007-04-09 Thread James Dennett

nshaw writes: 

> Help!
> 
> I've done everything I can think of to pass arguments to SQLite and
> nothing
> is working.  If anyone has information on how to do it, I'd appreciate
it.
> Here's a code segment:

[edited to remove SQL3-related material]

> int main (int argc, char **argv)
> {
> char *sql;
> sql = "insert into family (member,age) values (name, age)";  //
--
> --
> HERE'S WHERE COMPILE BUSTS

This looks like a simple const violation; a string literal has type
"array of n const char", but you attempt to point a non-const char* into
it.

If this isn't the problem, maybe you can show what error you see.

You probably want to look at bind variables (sqlite3_bind_text) though,
to address the bigger issue (getting SQLite to read data from C++
variables).

(You appear to be writing something closer to C than idiomatic C++,
which may be a reasonable choice for you.  For many people it would be
simpler to either use more of C++, such as using string objects, or to
stick to straight C.  Sometimes though it makes sense to use C++ as "a
better C" with improved type checking etc.  All of which is off-topic
here, and hopefully can be ignored by others instead of attracting
flames.)

-- James

-
To unsubscribe, send email to [EMAIL PROTECTED]
-

RE: [sqlite] Passing Arguments to SQLite3 from C++

Re: [sqlite] Passing Arguments to SQLite3 from C++

Re: [sqlite] Passing Arguments to SQLite3 from C++

Re: [sqlite] Passing Arguments to SQLite3 from C++

RE: [sqlite] Passing Arguments to SQLite3 from C++

5 matches

Site Navigation

Mail list logo

Footer information