Home/ Questions/Q 9184049
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T18:57:04+00:00

I have to prepare strings to be suitable for queries because these strings will

  • 0

I have to prepare strings to be suitable for queries because these strings will be used in the queries as field values. if they contain a ‘ etc the sql query fails to execute.

I therefore want to replace ‘ with ” I have seen the code to find and replace a substring with a substring. but I guess the problem is a little tricky because replacing string also contains two single quotes ” replacing one quote ‘ so when I have to find the next occurance it would encounter a ‘ which was intentionally replaced.

I am using Sql lite C api and the example query might look like this

 select * from persons where name  = 'John' D'oe'

Since John Doe contain a ‘ the query will fail , so I want all occurances of ‘ in the name to replaced with ”

Any ideas how you guys prepares your field values in query to be used in sql ??? may be it’s a basic thing but I am not too smart in C/C++.

your help would be very helpful

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use queries with arguments instead of replacing stuff, which could lead to several problems (like SQL injection vulnerabilities).

    MySQL example: 

    sql::Connection *con = ...;
string query = "SELECT * FROM TABLE WHERE ID = ?";
sql::PreparedStatement *prep_stmt = con->prepareStatement(query);
prep_stmt->setInt(1, 1); // Replace first argument with 1
prep_stmt->execute();

    This will execute SELECT * FROM TABLE WHERE ID = 1.

    EDIT: more info for SQLite prepared statements here and here.

    • 0