Hi Stev,

 Prepared statements are best option, however try sqlite3_mprintf() with
'%q' as format specifier which escapes every '\' character.

Find more info in http://sqlite.org/capi3ref.html.

Bharath Booshan L.


On 8/6/07 11:50 AM, "Stephen Sutherland" <[EMAIL PROTECTED]>
wrote:

> Hi ;
>    
>   I am trying to treat a string before passing it through my SQL statement
> into the database.
>    
>   I know that a  single apostrophe will break the SQL statement.
>   So I have to replace them all to double apostrophes.
>   Question #1: 
>   What may I ask is the c or C++ code to accomplish that ?
>   Initially I was using this simple scheme.
>    
>   string str2("stephen's test . Bob's test");
>    
>   if (  str2.find("'"!= string::npos)
> {
>      str2.replace(str2.find('"), 1, "''");
>   } 
>   I know this doens't test for multiple single apostrophes.
>    
>   But are there any other characters that will break the SQL statement ?
>    
>   Has anyone  created a nice algorithm?
> I actually have a situation where the user creates an XML file and the
> contents of the XML file gets dumped in the database. So there is opportunity
> for a hacker to create an XML file which has some SQL statements in it like '
> DELETE TABLE X ;
>    
>   So any thoughts or existing code would be great.
>    
>   Thanks 
>    
>   Stev 
> 
>        
> ---------------------------------
> Luggage? GPS? Comic books?
> Check out fitting  gifts for grads at Yahoo! Search.



-----------------------------------------------
Robosoft Technologies - Come home to Technology

Disclaimer: This email may contain confidential material. If you were not an 
intended recipient, please notify the sender and delete all copies. Emails to 
and from our network may be logged and monitored. This email and its 
attachments are scanned for virus by our scanners and are believed to be safe. 
However, no warranty is given that this email is free of malicious content or 
virus.



-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------

Reply via email to