For update a table, I write::update set =\"%#\" WHERE =\"%#\"",col1Value,col2Value];
But,this is not working. Please help.
My code is below:
const char *dbpath = [databasePath UTF8String];
sqlite3_stmt *statement;
NSString *querySQL = [NSString stringWithFormat:#"UPDATE AssemblyAssessment SET countedunits=\"%#\" WHERE assemblyid=\"%#\"",self.SAcountedunits,self.asmbIdStr];
const char *query_stmt = [querySQL UTF8String];
if (sqlite3_prepare_v2(ipadSites,query_stmt, -1, &statement, NULL) == SQLITE_OK)
{
if (sqlite3_step(statement) == SQLITE_DONE)
{
NSLog(#"done...");
}
else
{
NSLog(#"not done...");
}
sqlite3_finalize(statement);
sqlite3_close(ipadSites);
}
You should use "?" in your prepared statement and use sqlite3_bind_text then to bind the string values, instead of using stringWithFormat and %#. This way you will prevent SQL injections and security issues in your SQL requests (e.g. in case your string contains quotes or other stuff).
For your problem, please be more precise than "it doesn't work". Does it return an error code, in which case which one? Does it return with an OK status but your db isn't working? What are the types of your variables? What are the values of your temporary variables like querySQL, did you try to put breakpoints in your code to check what is happening? Etc, etc.
what is not working exactly. You can try to print error message like this:
NSLog(#"%s",sqlite3_errmsg(ipadSites));
also, for such one-line requests you can use sqlite3_exec() function:
sqlite3_exec(ipadSites, query_stmt, NULL,NULL, NULL);
The code you posted shows you getting the path to the database file but there is no code to open the database. You need to make a call to sqlite3_open_v2 before you attempt to prepare the statement or execute the query.
It's also a bad idea to use a string format to build the query. Your query should be:
const char *query_stmt = "UPDATE AssemblyAssessment SET countedunits = ? WHERE assemblyid = ?";
Prepare that statement, then make use of the appropriate sqlite3_bind_xxx methods to bind the two values to the query. This is a much safer approach. It takes care of properly quoting and escaping the values.
Related
I am deleting all data from the table by using below code snippet
NSString *deleteStatementNS = [NSString stringWithFormat:
#"DELETE FROM %#",[tableNames objectAtIndex:i]];
const char *prepareDelete ="DELETE FROM '?'";
const char *tbleName = [[tableNames objectAtIndex:i] UTF8String];
if (sqlite3_prepare_v2(dBase, prepareDelete, -1, &dbpreprdstmnt, NULL) == SQLITE_OK)
{
dbrc = sqlite3_bind_text(dbpreprdstmnt, 1, tbleName, -1, SQLITE_TRANSIENT);
dbrc = sqlite3_step(dbpreprdstmnt);
sqlite3_finalize(dbpreprdstmnt);
dbpreprdstmnt = NULL;
}
else
{
NSLog(#"Error %#",[NSString stringWithCString:sqlite3_errmsg(dBase) encoding:NSUTF8StringEncoding]);
}
But unfortunately the delete is not happening I am getting error as Error no such table: ?
I am not able to prepare the statement only. But if i use prepare statement like below
const char *prepareDelete =[deleteStatementNS UTF8String];
This is working absolutely fine. I am not able to bind the variable to stop SQL injection attacks.May I know the reason behind this error please. I found many places where this code snippet is reported as its is working fine.
I am not able to bind the variable to stop SQL injection attacks.
Table names cannot be bound as variables.
To avoid SQL injection attacks don't let your users specify which table names will be deleted. Make sure the table names come from a trusted source (e.g. hardcoded in your program).
In fact it's a really bad idea to delete all data in a table when the table name comes from an untrusted source. Even if you prevent SQL injection attacks, an attacker could still delete data you didn't want them to delete.
First (of many?) posts here.
I have an issue with my statement.
sqlite3_stmt *statement;
const char *query = "select * from words where ordet LIKE ?001";
NSString *wildcard = [NSString stringWithFormat:#"%#%%", fullWordForSQL.text];
sqlite3_bind_text(statement, 1, [wildcard UTF8String], -1, SQLITE_STATIC);
if (sqlite3_prepare_v2(dbHandle, query, -1, &statement, NULL) == SQLITE_OK ){
NSLog(#"in if");
NSLog(#"Data: %s", query);
I have successfully retrieved data with the query:
const char *query = "select * from words where ordet LIKE "_test__";
But when I try to bind the dynamicly created word it doesnt stick.
My nslog prints "Data: select * from words where ordet LIKE ?001" so somehow I am not getting the bind to work.
I know that there will be other issues along the way with the code above but right now Im stuck at this problem
query does not change when you call sqlite3_bind_text(). If you think about it, there's no way it should change, since you declared it as a const char *. What you want to do is use sqlite3_trace() to register to get a callback with the final bound string so you can see what's really happening.
Wouldn't you need to surround the value in single-quotes? " where ordet like '%001' " Or is that unnecessary in xcode? I am not proficient at xcode. Are you trying to inject the wildcard character into the sql statement in front of a value that is already contained in the statement string, or are you trying to prepend the wildcard character to a search-value and then bind that search-value-with-wildcard to the statement? It looks like the former to me, but as I said, I don't know xcode. I would not normally include a piece of the search-term in the query statement, but would do this:
"select * from words where ordet like ?"
// prepend the wildcard to my search term
// bind the search term to my query
Try doing your prepare_v2 statement BEFORE your bind_text statment.
I think this is much simpler.
NSString *query = [NSString stringWithFormat:#"SELECT * FROM words WHERE ordet GLOB '*%#*' ", fullWordForSQL.text];
WIth this code I'm trying to get SQL CREATE statement from sqlite_master for a specific table:
[SQLStatement setString:#"SELECT name, sql FROM sqlite_master WHERE type='table' AND name='"];
[SQLStatement appendString:tableName];
[SQLStatement appendString:#"'"];
int dbrc;
const char *charSQLStatement = [SQLStatement UTF8String];
sqlite3_stmt *statement = nil;
dbrc = sqlite3_prepare_v2 (dbHandleSQLite, charSQLStatement, -1, &statement, NULL);
const char *nameColumn,*sqlColumn;
dbrc = sqlite3_step (statement);
NSString *tempString;
do {
nameColumn = sqlite3_column_text(statement,0);
sqlColumn = sqlite3_column_text(statement,1);
NSLog(#"%s",nameColumn);
NSLog(#"%s",sqlColumn);
tempString = [NSString stringWithCString:sqlColumn encoding:NSASCIIStringEncoding];
} while (sqlite3_step(statement) == SQLITE_ROW);
sqlite3_finalize (statement);
NSLog(#"%s",nameColumn);
NSLog(#"%s",sqlColumn);
do-while loop is run through only once. You can see, that I have made a small workaround to get this worked and assigned value to tempString.
Reason is because if sqlite3_step(statement) is ran again, nameColumn and sqlColumn change their values although not being called again??!!
nameColumn is firt assigned the name of the table and sqlColumn is assigned "CREATE TABLE..." statement, which is OK.
But when program comes to while sentence, nameColumn changes to "index" and sqlColumn to something non-understandable, although loop is not repeated.
How can this happen? What am I doing wrong?
You're not doing anything wrong. sqlite reuses buffers. If you want to keep something you get from it, make a copy of it: a pointer's value is only guaranteed until the next sqlite3_step or sqlite3_finalize.
So your workaround is how you're supposed to handle this.
From the sqlite docs:
The pointers returned are valid until a type conversion occurs as described above, or until sqlite3_step() or sqlite3_reset() or sqlite3_finalize() is called. The memory space used to hold strings and BLOBs is freed automatically. Do not pass the pointers returned sqlite3_column_blob(), sqlite3_column_text(), etc. into sqlite3_free().
I have data stored in a sqlite3 database and have several places that I read and write data to and from the database. The problem I am running into is that if the SQL statement gets to be very long the sqlite3_prepare_v2 method returns an error.
This code works:
NSString *strSQL = #"UPDATE commandList SET displayName=?, type=?, formula=?, controlButton=?, sort=? WHERE pk=?;";
const char *sql = [strSQL UTF8String];
if (sqlite3_prepare_v2(database, sql, -1, &dehydrate_statment, NULL) != SQLITE_OK) {
NSLog(#"Error: failed to create update statement with message '%#'.", sqlite3_errmsg(database));
}
But this code errors out:
NSString *strSQL = #"UPDATE commandList SET displayName=?, type=?, formula=?, onFormula=?, offFormula=?, controlButton=?, sort=? WHERE pk=?;";
const char *sql = [strSQL UTF8String];
if (sqlite3_prepare_v2(database, sql, -1, &dehydrate_statment, NULL) != SQLITE_OK) {
NSLog(#"Error: failed to create update statement with message '%#'.", sqlite3_errmsg(database));
}
note the only difference is the 1st line.
When you say "the code errors out", you really ought to post the error. This saves us from speculating, or having to write a sample to reproduce the error you are getting.
See: http://www.sqlite.org/limits.html
SQLite does limit the maximum size of an SQL statement. (This prevents undesirable behavior when run in an embedded environment, but doesn't affect the size of values bound to the statement.)
You should't be running into this size limit, based on the code above, but it is hard to say what specifically you are running into because the sample + question doesn't stand alone.
The problem doesn't exist in the iPhone simulator so it must be something else.
I'm writing an application for the iPhone that communicates with a SQLite database but I'm running into a small problem. Whenever I try to query information based on a condition that contains an apostrophe, no results are returned.... even if a result that matches the requested condition exists. Let me give some specifics...
SQLite Table
Row--Column1--Column2---------
Test Data - 001
User's Data - 002
Objective-C Code
//Create the sql statement
sqlite3_stmt *sqlStatement;
//Create the name of the category that will be passed in
NSString *categoryName = #"User's Data";
//Create the rest of the SQL query
NSString *sqlQuery = "SELECT * FROM theTableName WHERE Column1 = ?";
//If there are no errors in the SQL query
if (sqlite3_prepare_v2(theDatabase, sqlQuery, -1, &sqlStatement, nil) == SQLITE_OK)
{
//Bind the category name to the sql statement
sqlite3_bind_text(sqlStatement, 1, [categoryName UTF8String], -1, SQLITE_TRANSIENT);
//While there are rows being returned
while (sqlite3_step(sqlStatement) == SQLITE_ROW)
{
//Retrieve row data
}
}
else
{
//Save error message to the application log and terminate the app
NSAssert1(0,#"Error: Failed to prepare the SQL statement with message '%s'.", sqlite3_errmsg(database));
}
//Reset the sql statement
sqlite3_reset(sqlStatement);
I'm semi-new to objective C, so my first thought when writing this code was to sanitize the user inputs. But after doing some research, I read that the sqlite3_bind calls do the necessary sanitation for you. But whenever the code runs, the while loop is skipped right over because there are no rows being returned. It should return the second row from the database table. If I copy/paste the exact same SQL query into a SQL managing program (I use SQLite Manager) (and with the necessary query sanitation of course), it returns the correct data.
I've spent a long time trying to debug this myself and even a greater amount of time trying to search online for a similar problem being explained and resolved, but to no avail. As of now, I just disabled the user's ability to key in an apostrophe on the iPhone's virtual keyboard. But this is a feature I'd love to include in my finished product. Can anyone here offer me any helpful tips? Any kind of help would be greatly appreciated.
For sqlite your request will be (as you can see it is even wrong highlighted):
SELECT * FROM theTableName WHERE Column1 = User's data
And it will wait for the closing ' symbol
You should echo ' symbol, for example in following way:
NSString *sqlQuery = [NSString stringWithFormat:#"SELECT * FROM tableName WHERE Column1=\"%#\"", categoryName];
In this case query will be
select * from theTableName where column1="User's data"
that is completely legal query.
In this case you don't need binding any more and final code will look like:
if (sqlite3_prepare_v2(database, [sqlQuery UTF8String], -1, &sqlStatement, nil) == SQLITE_OK)
{
//While there are rows being returned
while (sqlite3_step(sqlStatement) == SQLITE_ROW)
{
//Retrieve row data
}
}
else
{
//Save error message to the application log and terminate the app
NSAssert1(0,#"Error: Failed to prepare the SQL statement with message '%s'.", sqlite3_errmsg(database));
}
The official character is ''
sanitize with:
NSString *stringToSanitize = #"This is the value with ' character";
NSString *sanitized = [stringToSanitize stringByReplacingOccurrencesOfString:#"'"
withString:#"''"];
Then you can use it on your querys