handling a special character in a string while storing to a record on sqlite

Question

Hi,

in the following piece of code, I see that when my 'description' is something like: " ' ' ", I have a problem updating the description to the sqlite record. How do i handle the ' character. thanks!

sql = wxString::Format(
"UPDATE event SET event_description='%s' WHERE id=%d",
description.c_str(),
event_id);
rc = sqlite3_exec((sqlite3 *)_theDB, sql.c_str(), NULL, 0, &sqlError);

The OP answered his own question:

check this out FAQ we need to replace the occurences of ' with '' in the string

Answer 1

Doubling up all the single quotes in the description string is one way to do it. This way you can avoid malicious descriptions (see Bobby Tables).

 ' '

becomes:

 '' ''

And more importantly, the potentially dangerous description:

' WHERE 1=1 DELETE FROM Event --

becomes the harmless:

'' WHERE 1=1 DELETE FROM Event --

Another (safer) way, is to use prepared statements.