Sqlite SQL¸ñʽ»¯ÊäÈ뺯Êýsplite3_mprintf

sqliteÖÐ，

ÔÚʹÓÃsqlÓï¾äдÈë×Ö·û´®Êý¾Ýʱ，

ÓÉÓÚ×Ö·ûÊý¾ÝÖпÉÄÜÒþº¬×ªÒå×Ö·û，

Èç¹û¶ÔÓÚËûÃDz»×÷´¦Àí，Ö´ÐÐʱ，execº¯Êý½«²»Ê¶±ð，»òÕßÔì³É×¢Èë¹¥»÷

Õâ¸öʱºòsqlite_mprintf(),

Ó¦¸Ã¾ÍÊDZØÐëʹÓÃÁË，ÅäºÏ¡®%q¡¯½«×Ö·ûÊý¾ÝÖеÄתÒå×Ö·û，Ö±½Óת»»，

¾Í²»Óõ£ÐÄ×Ö·û´®Öк¬ÓС®µ¥ÒýºÅ，ÕâÑùÔì³ÉsqlÓï¾ä²»Ê¶±ðµÄÎÊÌâ¡£

For example, assume the string variable zText contains text as follows:

char *zText = "It's a happy day!";

One can use this text in an SQL statement as follows:

char *zSQL = sqlite3_mprintf("INSERT INTO table VALUES('%q')", zText);
sqlite3_exec(db, zSQL, 0, 0, 0);
sqlite3_free(zSQL);

Because the %q format string is used, the '\'' character in zText is escaped and the SQL generated is as follows:

INSERT INTO table1 VALUES('It''s a happy day!')

This is correct. Had we used %s instead of %q, the generated SQL would have looked like this:

INSERT INTO table1 VALUES('It's a happy day!')

²Î¿¼：

http://www.sqlite.org/c3ref/mprintf.html