I have an entire set of data i want to insert into a table. I am trying to have it insert/update everything OR rollback. I was going to do it in a transaction, but i wasnt sure if the sql_exec() command did the same thing.
My goal was to iterate through the list.
Select from each iteration based on the Primary Key.
If result was found:
append update to string;
else
append insert to string;
Then after iterating through the loop, i would have a giant string and say:
sql_exec(string);
sql_close(db);
Is that how i should do it? I was going to do it on each iteration of the loop, but i didnt think a global rollback if there was an error.
No, you should not append everything into a giant string. If you do, you will need to allocate a whole bunch of memory as you are going, and it will be harder to create good error messages for each individual statement, as you will just get a single error for the entire string. Why spend all of that effort, constructing one big string when SQLite is just going to have to parse it back down into its individual statements again?
Instead, as @Chad suggests, you should just use
sqlite3_exec()on aBEGINstatement, which will begin a transaction. Thensqlite3_exec()each statement in turn, and finallysqlite3_exec()aCOMMITorROLLBACKdepending on how everything goes. TheBEGINstatement will start a transaction, and all of the statements executed after that will be within that transaction, and so committed or rolled back together. That’s what the “A” in ACID stands for; Atomic, as all of the statements in the transaction will be committed or rolled back as if they were a single atomic operation.Furthermore, you probably shouldn’t use
sqlite3_exec()if some of the data varies within each statement, such as being read from a file. If you do, a mistake could easily leave you with an SQL injection bug. For instance, if you construct your query by appending strings, and you have strings likechar *str = "it's a string"to insert, if you don’t quote it properly, your statement could come out likeINSERT INTO table VALUES ('it's a string');, which will be an error. Or if someone malicious could write data into this file, then they could cause you to execute any SQL statement they want (imagine if the string were"'); DROP TABLE my_important_table; --"). You may think that no one malicious is going to provide input, but you can still have accidental problems, if someone puts a character that confuses the SQL parser into a string.Instead, you should use
sqlite3_prepare_v2()andsqlite3_bind_...()(where...is the type, likeintordoubleortext). In order to do this, you use a statement likechar *query = "INSERT INTO table VALUES (?)", where you substitute a?for where you want your parameter to go, prepare it usingsqlite3_prepare_v2(db, query, -1, &stmt, NULL), bind the parameter usingsqlite3_bind_text(stmt, 1, str, -1, SQLITE_STATIC), then execute the statement withsqlite3_step(stmt). If the statement returns any data, you will getSQLITE_ROW, and can access the data using the varioussqlite3_columne_...()functions. Be sure to read the documentation carefully; some of the example parameters I gave may need to change depending on how you use this.Yes, this is a bit more of a pain than calling
sqlite3_exec(), but if your query has any data loaded from external sources (files, user input), this is the only way to do it correctly.sqlite3_exec()is fine to call if the entire text of the query is contained within your source, such as theBEGINandCOMMITorROLLBACKstatements, or pre-written queries with no parts coming from outside of your program, you just need prepare/bind if there’s any chance that an unexpected string could get in.Finally, you don’t need to query whether something is in the database already, and then insert or update it. You can do a
INSERT OR REPLACEquery, which will either insert a record, or replace one with a matching primary key, which is the equivalent of selecting and then doing anINSERTor anUPDATE, but much quicker and simpler. See theINSERTand “on conflict” documentation for more details.