sqlite中,
在使用sql语句写入字符串数据时,
由于字符数据中可能隐含转义字符,
如果对于他们不作处理,执行时,exec函数将不识别,或者造成注入攻击
这个时候sqlite_mprintf(),
应该就是必须使用了,配合‘%q’将字符数据中的转义字符,直接转换,
就不用担心字符串中含有‘单引号,这样造成sql语句不识别的问题。
For example, assume the string variable zText contains text as follows:
char *zText = "It's a happy day!";
One can use this text in an SQL statement as follows:
char *zSQL = sqlite3_mprintf("INSERT INTO table VALUES('%q')", zText);
sqlite3_exec(db, zSQL, 0, 0, 0);
sqlite3_free(zSQL);
Because the %q format string is used, the '\'' character in zText is escaped and the SQL generated is as follows:
INSERT INTO table1 VALUES('It''s a happy day!')
This is correct. Had we used %s instead of %q, the generated SQL would have looked like this:
INSERT INTO table1 VALUES('It's a happy day!')
参考: