25 Jun
2006
25 Jun
'06
8:27 p.m.
Jakob Hirsch jh@plonk.de writes:
a recent change in the sql drivers introduced escaping, but sqlite is a different in this aspect: You cannot escape with a backslash, the only character that needs escaping is the quoting character itself (by doubling it, as the SQL standard says). As the escaping function does not know which quote character is used, one should only use the single tick ' (again, as the SQL standard says) and the escaping function double any single quote in the string. (untested) patch for the latter attached.
How about just using sqlite_mprintf with %q? It includes malloc() and does proper SQL escaping. See http://www.sqlite.org/capi3ref.html#sqlite3_mprintf
-- Matthias Andree