Can't insert " character into Sqlite DB [Objective-C]

525 views Asked by At

I'm inserting some data on a sqlite db, It works fine but what I noticed is that I can't insert words that contains the character ", is it a common issue? should I change parse the text and edit every " character I find?

This is the code i'm using in order to insert data into my DB:

UICollectionViewCell *cell = (UICollectionViewCell *)button.superview.superview;
        NSIndexPath *indexPath = [self.customCollectionView indexPathForCell:cell];
        FolderProducts *item = _feedItems[indexPath.item];

        sqlite3_stmt    *statement;
        const char *dbpath = [databasePath UTF8String];

        if (sqlite3_open(dbpath, &Carrello) == SQLITE_OK)
        {
            NSString *insertSQL = [NSString stringWithFormat: @"INSERT INTO CarrelloMese (titolo, codice, prezzo, urlImg) VALUES (\"%@\", \"%@\", \"%@\", \"%@\")",item.nomeProdotto, item.codice, item.prezzo, item.urlImg];

            const char *insert_stmt = [insertSQL UTF8String];

            sqlite3_prepare_v2(Carrello, insert_stmt, -1, &statement, NULL);

            if (sqlite3_step(statement) == SQLITE_DONE)
            {

            } else {

            }

            sqlite3_finalize(statement);
            sqlite3_close(Carrello);
        }
1

There are 1 answers

5
Rob Sanders On BEST ANSWER

You need to bind your SQLite statements using the sqlite3_bind_xxx() function. Basically, you remove all variables from your statement (in your case the %@) and replace them with '?'. SQLite then knows that where an ? is HAS to be a variable, and therefore doesn't get it mixed up with a command.

For example, say you wanted to bind the word "INSERT". Using ? SQLite won't read this as a command and then flag an error.

Read the docs (link above) for full information on how to use the bind function.

Here's what your code might look like with binding (UNTESTED):

sqlite3_stmt    *statement;
        const char *dbpath = [databasePath UTF8String];

        if (sqlite3_open(dbpath, &Carrello) == SQLITE_OK)
        {
            NSString *insertSQL = [NSString stringWithFormat: @"INSERT INTO CarrelloMese (titolo, codice, prezzo, urlImg) VALUES (?,?,?,?)"];

            const char *insert_stmt = [insertSQL UTF8String];

            sqlite3_prepare_v2(Carrello, insert_stmt, -1, &statement, NULL);

            if (sqlite3_bind_text(statement, 0, item.nomeProdotto.UTF8String, item.nomeProdotto.length, SQLITE_STATIC) != SQLITE_OK) {
                NSLog(@"An error occurred");
            }
            // Etc etc
            // SQLite bind works like this: sqlite_bind_text/int/e.t.c(sqlite3_stmt,index_of_variable, value); 
            // there are optionally parameters for text length and copy type SQLITE_STATIC and SQLITE_TRANSIENT.

            if (sqlite3_step(statement) == SQLITE_DONE)
            {

            } else {

            }

            sqlite3_finalize(statement);
            sqlite3_close(Carrello);
        }