C usually needs to generate the SQL statement as follows:
Sprintf (SQL, "insert into data (CMD) values (\" % s \ ");", CMD );
When CMD is Echo "AB,
In C, CMD is "Echo \" AB"
The SQL statement is "insert into data (CMD) values (\" Echo \ "AB \");"
It will be truncated before AB.
The content of CMD needs to be escaped, 'Escape to ''(two single quotes), and" transfer to "" (two double quotes ).
The following is the implementation
/** Author: dengzhaoqun * Date: 2012/10/23 */char * xm_escape_string (const char * Str) {char * bak; int Len; int I; Int J; len = strlen (STR); Bak = (char *) malloc (LEN * 2 + 1) * sizeof (char); If (BAK = NULL) {fprintf (stderr, "malloc failed \ n"); return NULL;} memset (Bak, 0, Len * 2 + 1); j = 0; for (I = 0; I <Len; I ++) {If (STR [I] = '"') | (STR [I] = '\'')) {Bak [J] = STR [I]; j ++;} Bak [J] = STR [I]; j ++;} return bak ;}
I tried to escape \ from cmd as \, "escape as \", and "escape as \", but the result showed that SQLite cannot be parsed.
Reference: http://blog.csdn.net/ameyume/article/details/8007149