Sqlite SQL格式化输入函数splite3_mprintf

sqlite中，

在使用sql语句写入字符串数据时，

由于字符数据中可能隐含转义字符，

如果对于他们不作处理，执行时，exec函数将不识别，或者造成注入攻击

这个时候sqlite_mprintf(),

应该就是必须使用了，配合‘%q’将字符数据中的转义字符，直接转换，

就不用担心字符串中含有‘单引号，这样造成sql语句不识别的问题。

For example, assume the string variable zText contains text as follows:

char *zText = "It's a happy day!";

One can use this text in an SQL statement as follows:

char *zSQL = sqlite3_mprintf("INSERT INTO table VALUES('%q')", zText);sqlite3_exec(db, zSQL, 0, 0, 0);sqlite3_free(zSQL);

Because the %q format string is used, the '\'' character in zText is escaped and the SQL generated is as follows:

INSERT INTO table1 VALUES('It''s a happy day!')

This is correct. Had we used %s instead of %q, the generated SQL would have looked like this:

INSERT INTO table1 VALUES('It's a happy day!')