Re: [sqlite] a c++ newbie question

Mon, 06 Aug 2007 09:29:51 -0700 

Everyone has suggested the use of prepared statements. 
   
  I was actually inserting ~10,000 records with great results using BEGIN 
TRANSACTION; and  END TRANSACTION;  I was making 1 big string of insert 
statements and executing them all at once. 
  It was extremely fast. 
   
  How can I do the same with prepare statements ? 
  Is it possible for me to prepare 10,000 in a loop and then surround them with 
BEGIN TRANSACTCION AND END TRANSACTION ? 
   
  Actually I would appreciate a little code sample, if possible . 
   
  Assume I have the following: 
  char* param1="test1";
  char  param2='y';
  int     param3=1
  for(int x = 0; x < 10,000; x++ )
  {
  // how would it work ? 
   
  } 
   
  Thanks a lot in advance. 
  Stephen 
   
   
  

Trevor Talbot <[EMAIL PROTECTED]> wrote:
  On 8/5/07, Stephen Sutherland wrote:

> I am trying to treat a string before passing it through my SQL statement into 
> the database.
>
> I know that a single apostrophe will break the SQL statement.
> So I have to replace them all to double apostrophes.

> But are there any other characters that will break the SQL statement ?

> I actually have a situation where the user creates an XML file and the 
> contents of the XML file gets dumped in the database. So there is opportunity 
> for a hacker to create an XML file which has some SQL statements in it like ' 
> DELETE TABLE X ;
>
> So any thoughts or existing code would be great.

Don't attempt to treat strings at all. Instead, always use the
parametric binding API for whatever database you're using. You
prepare statements like "INSERT INTO table VALUES (?)", and then pass
in the input string as a separate argument for the database engine to
put in place of the "?". This avoids the entire problem of escaping
special characters, and you don't need to treat your input data
specially.

For sqlite, use sqlite3_prepare_v2() and sqlite3_bind_text().
http://sqlite.org/capi3.html should get you up to speed on the
process, and browse through the other documents on the site for more
information.

-----------------------------------------------------------------------------
To unsubscribe, send email to [EMAIL PROTECTED]
-----------------------------------------------------------------------------



       
---------------------------------
Building a website is a piece of cake. 
Yahoo! Small Business gives you all the tools to get online.

Reply via email to