26 Jun
2006
26 Jun
'06
12:39 a.m.
Quoting Matthias Andree:
How about just using sqlite_mprintf with %q? It includes malloc() and does proper SQL escaping.
I thought about it, but the reference says "The strings returned by these routines should be freed by calling sqlite3_free()", not a plain free(), so we'd require an additional strdup. But the main reason is the avoidance of a heavy-weight printf-substitute (don't know how optimized it is, though). Would be different, if we'd use it to escape a whole query, e.g. SELECT something FROM somewhere WHERE bla='%q' AND blub='%q'