As for sprintf what they didn't tell you is that you don't want to use that due to security considerations.
If you are getting ANY data from user input they can craft sql injection attacks which sprintf is very susceptible to. Binding the values helps to ensure they can't do that. Michael D. Black Senior Scientist Advanced Analytics Directorate Advanced GEOINT Solutions Operating Unit Northrop Grumman Information Systems ________________________________________ From: [email protected] [[email protected]] on behalf of Vaclav Peroutka [[email protected]] Sent: Thursday, August 30, 2012 3:51 AM To: General Discussion of SQLite Database Subject: EXT :Re: [sqlite] why no such column in sqlite3 ? > Rob Richardson wrote: >> Put single quotes around Testitem: >> >> sprintf( sqlquery, "INSERT INTO tblTest ( CINDEX, CDATE, CDESCR, CAMOUNT ) VALUES ( 5, 2012-08-29, 'Testitem', 300 )"); > > And around cdate too. There are no dedicated date type in sqlite, 2012-08- 29 is > treated as expression ((2012 - 08) - 29). Result will be 1975, not what you > might have expected. > > sprintf( sqlquery, "INSERT INTO tblTest ( CINDEX, CDATE, CDESCR, CAMOUNT ) > VALUES ( 5, '2012-08-29', 'Testitem', 300 )"); > > And you likely should use sqlite3_prepare_v2, placeholders, sqlite3_bind_ int and > sqlite3_bind_text instead of sprintf. Thank you for answers, single quotes helped. Regarding other functions, is there any example for them ? I used "5 minutes" example and there is nothing like that. sprintf formatting works well for me so far. _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users _______________________________________________ sqlite-users mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
