> > From: Neville Franks <sql...@surfulater.com> > implementations are meant to save > prepared statements in a cache and IIUC most do.
Thats exactly what I am doing. I still pass the original statement every time. The same call either creates a new statement or re-uses the cached version. > The trend is more for function call > chaining. I have seen at least one wrapper besides one that > I have written that copies the idea of overloaded shift operators > for formatted input/output I've been amazingly resistant to the use of the standard c++ template library, and boost. However, in this situation it sounds like overloaded shift operators is a great idea! It solves some of the deficiencies in my approach. > > Hasn't anyone else used variable argument lists > for binding parameters > > and what not? > > There is a built-in API for that: > http://sqlite.org/c3ref/mprintf.html Hmm actually I am not composing the SQL statement text using variable arguments. I am using variable arguments to pass in what is essentially a list of pointers to be used in calls to bind..() and fetch_column...(). > Part of the reason you may find that var-arg binding and > similar > techniques are not widely supported is that string-based > SQL > manipulation is considered dangerous. SQL injection is a > very common > and ridiculously successful attack, especially in the web > world. Yeah but like I said I am not composing the statement text. > Personally, I don't use var-args in C++ code. You lose > type-safety, can't use user-defined types, and can't detect when > the wrong number of arguments is passed, not even at run-time. These are exactly the problems I want to solve in my current implementation. I am going to explore the idea of using overloaded shift operators with function chaining. Just to give you an idea of what I have currently: bRow=m_db.Select( err, &stmt, "SELECT " " NAME, " " FULLPATH, " " PARENTID " "FROM DIR " " WHERE DIRID=?;", "D,SSD", dirRid, &strName, &dirStrPath, &parentRid ); The string "D,SSD" tells the function about the data types of the following arguments. The comma is used to separate the parameter binds from the column binds. So as you can see I am not composing the SQL text. But as it was pointed out this approach lacks the type safety. Thanks! _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
