Everyone has suggested the use of prepared statements. I was actually inserting ~10,000 records with great results using BEGIN TRANSACTION; and END TRANSACTION; I was making 1 big string of insert statements and executing them all at once. It was extremely fast. How can I do the same with prepare statements ? Is it possible for me to prepare 10,000 in a loop and then surround them with BEGIN TRANSACTCION AND END TRANSACTION ? Actually I would appreciate a little code sample, if possible . Assume I have the following: char* param1="test1"; char param2='y'; int param3=1 for(int x = 0; x < 10,000; x++ ) { // how would it work ? } Thanks a lot in advance. Stephen
Trevor Talbot <[EMAIL PROTECTED]> wrote: On 8/5/07, Stephen Sutherland wrote: > I am trying to treat a string before passing it through my SQL statement into > the database. > > I know that a single apostrophe will break the SQL statement. > So I have to replace them all to double apostrophes. > But are there any other characters that will break the SQL statement ? > I actually have a situation where the user creates an XML file and the > contents of the XML file gets dumped in the database. So there is opportunity > for a hacker to create an XML file which has some SQL statements in it like ' > DELETE TABLE X ; > > So any thoughts or existing code would be great. Don't attempt to treat strings at all. Instead, always use the parametric binding API for whatever database you're using. You prepare statements like "INSERT INTO table VALUES (?)", and then pass in the input string as a separate argument for the database engine to put in place of the "?". This avoids the entire problem of escaping special characters, and you don't need to treat your input data specially. For sqlite, use sqlite3_prepare_v2() and sqlite3_bind_text(). http://sqlite.org/capi3.html should get you up to speed on the process, and browse through the other documents on the site for more information. ----------------------------------------------------------------------------- To unsubscribe, send email to [EMAIL PROTECTED] ----------------------------------------------------------------------------- --------------------------------- Building a website is a piece of cake. Yahoo! Small Business gives you all the tools to get online.