"Mahalakshmi.m"
<[EMAIL PROTECTED]> wrote
in message
news:[EMAIL PROTECTED]
> I want to know why we have to use sqlite3_mprintf before
> sqlite3_prepare()
We don't; wherever did you get this idea from?
> Case 1:
> Query = sqlite3_mprintf ("DELETE FROM MUSIC WHERE URL = ?;");
> sqlite3_prepare(db, Query ,-1,&stmt,0);
> sqlite3_free(Query);
>
> case 2:
> We can also use directly - sqlite3_prepare(db, "DELETE FROM MUSIC
> WHERE URL = ?;",-1,&stmt,0);
>
> Will there be any performance difference between case 1 and
> case2.
The first case is slower, since it has to make an extra sqlite3_mprintf
call (that achieves precisely nothing).
> Sometimes I am using sprintf instead of sqlite3_mprintf.will both
> have the same functionality.
sprintf requires you to provide an output buffer (but not its length,
risking a buffer overrun). sqlite3_mprintf allocates its buffer (of an
appropriate size) on the heap (which you have to free afterwards). Also,
sqlite3_mprintf supports an extra format specifier - %m if I remember
correctly - which takes a string and turns it into correctly escaped SQL
string literal. This helps protect against SQL injection attacks (but
using a parameterized prepared statement is still better).
> sprintf(buff,"DELETE FROM MUSIC WHERE URL = ?;");
> sqlite3_prepare(db, buff,-1,&stmt,0);
You don't need sprintf here either.
Igor Tandetnik
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
