Home/ Questions/Q 8297519
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T15:26:43+00:00

I’m creating an app which downloads a XML and inserts its values into a

  • 0

I’m creating an app which downloads a XML and inserts its values into a SQLite3 database. It was giving an error whenever there was a ', so I created this function to escape the strings:

+(NSString *)escapeString:(NSString *)string {
  NSRange range = NSMakeRange(0, [string length]); 
  NSMutableString *str =
    [NSMutableString stringWithString:string];  
  [str replaceOccurrencesOfString:@"'" withString:@"\\\'" options:0 range:range];
  return str; 
}

The problem is that the database is now gimming the error unrecognized token: "\". What am I doing wrong? BTW, I’m still using Tiger, can it be related to having an old version of SQLite? If yes, how do I solve that? Note that the app I’m creating must also work on Tiger and preferably, on Panther.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    SQL does not escape with slash characters. It uses single quotes ' to escape within strings.

    INSERT INTO xyz VALUES('5 O''clock');

    Reference

    So I assume (I don’t know what language you’re using) this line:

    [str replaceOccurrencesOfString:@"'" withString:@"\\\'" options:0 range:range];

    should actually be:

    [str replaceOccurrencesOfString:@"'" withString:@"''" options:0 range:range];

    You are going against the best practices by scrubbing the content yourself. It’s better to use sqlite’s binding facilities.

    Instead of doing the string manipulation yourself:

    sql = "INSERT INTO xyz VALUES('"+ my_value +"');"

    you’d use something like this:

    sql = "INSERT INTO xyz VALUES(?1);"

    Then use the bind calls to assign the contents of ?1.

    • 0