On Thu, 2005-03-17 at 12:50 -0500, Peter Jay Salzman wrote:
> Without using sqlite_escape_string, single quotes cause "SQL Logic or
> missing database" errors. So I'm forced to use that function on variables
> set via a form.
>
> But then to avoid the "backslash in the data" problem, I need to use
> stripslashes on the variables I'm about to write to the database.
>
> But just in case a user has magic_quotes_gpc set off, I need to test that
> function and then decide whether to use stripslashes() or not.
>
> Problem solved, but the solution is kind of, well, "icky".
>
In the TCL bindings for SQLite, no quoting of variable contents
is needed. You say say something like this:
db eval {INSERT INTO table1 VALUES($var1,$var2)}
The TCL bindings see the $var1 and $var2 in the SQL code, reach
in to TCL and extract the values of corresponding variables, then
use sqlite3_bind_... to pass those values directly to SQLite
without the need for any escaping or quoting. The technique is
also very fast since it avoids unnecessary copying of the string
text. The whole approach works very very well.
The same idea would, in theory, work with PHP. I suggested as much
to the PHP developers, saying I thought it would make the interface
much simpler. But the idea was rejected.
--
D. Richard Hipp <[EMAIL PROTECTED]>
