RE: [sqlite] Passing Arguments to SQLite3 from C++
It's worth briefly, for the record, mentioning that the code using += is what often causes SQL injection security issues, and that prepared statements using parameters are the way to avoid that. -- James > -Original Message- > From: nshaw [mailto:[EMAIL PROTECTED] > Sent: Monday, April 09, 2007 3:29 PM > To: sqlite-users@sqlite.org > Subject: Re: [sqlite] Passing Arguments to SQLite3 from C++ > > > Thanks, Ted. I'll give this a shot. > Regards, > > Nick. > > Teg wrote: [snip] > > std::string m_sSQL = "insert into family (member,age) values "; > > m_sSQL += "(" ; > > m_sSQL += name; > > m_sSQL += "," ; > > m_sSQL += "age" ; > > m_sSQL += ");" ; - To unsubscribe, send email to [EMAIL PROTECTED] -
Re: [sqlite] Passing Arguments to SQLite3 from C++
Thanks, Ted. I'll give this a shot. Regards, Nick. Teg wrote: > > Hello nshaw, > > std::string m_sSQL = "CREATE TABLE IF NOT EXISTS "; > m_sSQL += g_pszTableName; > m_sSQL += "(" ; > m_sSQL += "AR_FilenameTEXT PRIMARY KEY," > ; > m_sSQL += "AR_Subject TEXT ," ; > m_sSQL += "AR_FromTEXT ," ; > m_sSQL += "AR_Group TEXT ," ; > m_sSQL += "AR_GoodBlocks INTEGER" ; > m_sSQL += ");" ; > > HRESULT hr = Exec > ( > m_sSQL.c_str() > ); > > // > // Paramaterized insert with values bound later > // > std::string m_sSQL = "INSERT OR IGNORE INTO "; > m_sSQL += g_pszTableName; > m_sSQL += " VALUES (?,?,?,?,?,?,?);"; > > > std::string m_sSQL = "insert into family (member,age) values "; > m_sSQL += "(" ; > m_sSQL += name; > m_sSQL += "," ; > m_sSQL += "age" ; > m_sSQL += ");" ; > > > if you want to do straight C you need something like a sprintf or use > SQLite's printf routines. I build everything in a C++ string then pass > is using the ".c_str()" operator. I recommend parameterized inserts > too. > > C > > > -- > Best regards, > Tegmailto:[EMAIL PROTECTED] > > > - > To unsubscribe, send email to [EMAIL PROTECTED] > - > > > -- View this message in context: http://www.nabble.com/Passing-Arguments-to-SQLite3-from-C%2B%2B-tf3548345.html#a9910750 Sent from the SQLite mailing list archive at Nabble.com. - To unsubscribe, send email to [EMAIL PROTECTED] -
Re: [sqlite] Passing Arguments to SQLite3 from C++
nshaw wrote: Help! I've done everything I can think of to pass arguments to SQLite and nothing is working. If anyone has information on how to do it, I'd appreciate it. Here's a code segment: #include #include #include #include "util.h" #include using namespace std; int main (int argc, char **argv) { sqlite3 *db;// --- database char *zErr; int return_code; char *sql; // - variables for database input --- char name[30]; int age; // - create or open the database return_code = sqlite3_open("Family.db", ); // - error creating or opening the database - if (return_code) { fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db)); sqlite3_close(db); // --- close database exit(1); } // - enter data into local variables -- cout << "Enter name: "; cin.getline (name, 30); cout << "Enter age: "; cin >> age; // - enter a record into the database - sql = "insert into family (member,age) values (name, age)"; // HERE'S WHERE COMPILE BUSTS The error is that no column exists called 'age.' I've tried passing name and age as pointers, as references, I've tried declaring them as pointers, etc. and nothing can be passed. If I pass absolute arguments ("Nick", 30) it works. Again, I appreciate any and all help! Regards, Nick. You have to derefence your pointers like name so that you insert the value into the SQL statement. - To unsubscribe, send email to [EMAIL PROTECTED] -
Re: [sqlite] Passing Arguments to SQLite3 from C++
Hello nshaw, std::string m_sSQL = "CREATE TABLE IF NOT EXISTS "; m_sSQL += g_pszTableName; m_sSQL += "(" ; m_sSQL += "AR_FilenameTEXT PRIMARY KEY," ; m_sSQL += "AR_Subject TEXT ," ; m_sSQL += "AR_FromTEXT ," ; m_sSQL += "AR_Group TEXT ," ; m_sSQL += "AR_GoodBlocks INTEGER" ; m_sSQL += ");" ; HRESULT hr = Exec ( m_sSQL.c_str() ); // // Paramaterized insert with values bound later // std::string m_sSQL = "INSERT OR IGNORE INTO "; m_sSQL += g_pszTableName; m_sSQL += " VALUES (?,?,?,?,?,?,?);"; std::string m_sSQL = "insert into family (member,age) values "; m_sSQL += "(" ; m_sSQL += name; m_sSQL += "," ; m_sSQL += "age" ; m_sSQL += ");" ; if you want to do straight C you need something like a sprintf or use SQLite's printf routines. I build everything in a C++ string then pass is using the ".c_str()" operator. I recommend parameterized inserts too. C Monday, April 9, 2007, 12:59:27 PM, you wrote: n> Help! n> I've done everything I can think of to pass arguments to SQLite and nothing n> is working. If anyone has information on how to do it, I'd appreciate it. n> Here's a code segment: n> #include n> #include n> #include n> #include "util.h" n> #include n> using namespace std; n> int main (int argc, char **argv) n> { n> sqlite3 *db;// --- database n> char *zErr; n> int return_code; n> char *sql; n> // - variables for database input --- n> char name[30]; n> int age; n> // - create or open the database n> return_code = sqlite3_open("Family.db", ); n> // - error creating or opening the database - n> if (return_code) { n> fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db)); n> sqlite3_close(db); // --- close database n> exit(1); n> } n> // - enter data into local variables -- n> cout << "Enter name: "; cin.getline (name, 30); n> cout << "Enter age: "; cin >> age; n> // - enter a record into the database - n> sql = "insert into family (member,age) values (name, age)"; // n> HERE'S WHERE COMPILE BUSTS n> The error is that no column exists called 'age.' I've tried passing name n> and age as pointers, as references, I've tried declaring them as pointers, n> etc. and nothing can be passed. If I pass absolute arguments ("Nick", 30) n> it works. n> Again, I appreciate any and all help! n> Regards, n> Nick. -- Best regards, Tegmailto:[EMAIL PROTECTED] - To unsubscribe, send email to [EMAIL PROTECTED] -
RE: [sqlite] Passing Arguments to SQLite3 from C++
nshaw writes: > Help! > > I've done everything I can think of to pass arguments to SQLite and > nothing > is working. If anyone has information on how to do it, I'd appreciate it. > Here's a code segment: [edited to remove SQL3-related material] > int main (int argc, char **argv) > { > char *sql; > sql = "insert into family (member,age) values (name, age)"; // -- > -- > HERE'S WHERE COMPILE BUSTS This looks like a simple const violation; a string literal has type "array of n const char", but you attempt to point a non-const char* into it. If this isn't the problem, maybe you can show what error you see. You probably want to look at bind variables (sqlite3_bind_text) though, to address the bigger issue (getting SQLite to read data from C++ variables). (You appear to be writing something closer to C than idiomatic C++, which may be a reasonable choice for you. For many people it would be simpler to either use more of C++, such as using string objects, or to stick to straight C. Sometimes though it makes sense to use C++ as "a better C" with improved type checking etc. All of which is off-topic here, and hopefully can be ignored by others instead of attracting flames.) -- James - To unsubscribe, send email to [EMAIL PROTECTED] -