C++;sqlite3的用户输入 我有一个课堂作业,要求我们写一个C++程序来跟踪花费,允许修改记录,并返回关于个人开销的“满意”数字(即用户花了那么多钱的感觉)。我们的讲师表示希望我们在本课程中使用sqlite3。他给了我们一个示例程序,该程序在sqlite3中构建一个表,并为列输入预定值。这个程序运行得很好,没有问题
我试图做的是修改程序以接受用户输入并将其存储在sqlite3数据库中。这是我迄今为止的代码:C++;sqlite3的用户输入 我有一个课堂作业,要求我们写一个C++程序来跟踪花费,允许修改记录,并返回关于个人开销的“满意”数字(即用户花了那么多钱的感觉)。我们的讲师表示希望我们在本课程中使用sqlite3。他给了我们一个示例程序,该程序在sqlite3中构建一个表,并为列输入预定值。这个程序运行得很好,没有问题,c++,sql,sqlite,C++,Sql,Sqlite,我试图做的是修改程序以接受用户输入并将其存储在sqlite3数据库中。这是我迄今为止的代码: int main() { string salesDesc; int price; int satisf; sqlite3 *db; char *szErrMsg = 0; cout << "Description of Expense: "; cin >> saleDesc; cout << endl
int main()
{
string salesDesc;
int price;
int satisf;
sqlite3 *db;
char *szErrMsg = 0;
cout << "Description of Expense: ";
cin >> saleDesc;
cout << endl;
cout << "Price: ";
cin >> price;
cout << endl;
cout << "Your Satisfaction: ";
cin >> satisf;
cout << endl;
// open database
int rc = sqlite3_open("spending_track.sqlite", &db);
if (rc)
{
cout << "Cannot open database\n";
}
else
{
cout << "Database opened successfully\n";
}
const char *pSQL[6];
pSQL[0] = "CREATE TABLE IF NOT EXISTS expenses(id INTEGER PRIMARY KEY "
"AUTOINCREMENT NOT NULL, logged TIMESTAMP DEFAULT "
"CURRENT_TIMESTAMP NOT NULL, desc VARCHAR(40), price INT,"
"satisfaction INT)";
pSQL[1] = "INSERT INTO expenses('" + string(saleDesc) + "'," price "," satisf ")";
pSQL[2] = "SELECT * FROM expenses";
pSQL[3] = "SELECT sum(satisf) FROM expenses";
// blablabla the rest of the program
intmain()
{
字符串saledesc;
国际价格;
int satisf;
sqlite3*db;
char*szErrMsg=0;
cout>saleDesc;
价格;
cout-satisf;
cout由于这只是一个类分配,我怀疑您是否需要担心SQL注入攻击,所以我不会费心尝试清理您的输入
您的另一个问题是您混淆了char*
s和std::string
s。sqlite API要求您传递它char*
s,以便可以从C代码使用它,但这并不意味着您需要使用它们。std::string
是char数组的包装器,您可以通过C_str()
method。我认为您真的不需要将SQL语句放在最后的数组中。类似这样的方法如何:
std::string addTable = "CREATE TABLE IF NOT EXISTS expenses(id INTEGER PRIMARY KEY "
"AUTOINCREMENT NOT NULL, logged TIMESTAMP DEFAULT "
"CURRENT_TIMESTAMP NOT NULL, desc VARCHAR(40), price INT,"
"satisfaction INT)";
std::string insertExpense = "INSERT INTO expenses('" + saleDesc + "'," + std::to_string(price) "," + std::to_string(satisf) + ")";
std::string selectAllExpenses = "SELECT * FROM expenses";
然后,当您想将其传递给sqlite API时,可以使用c\u str()
谢谢大家的回答。我昨天花了大约一个半小时和我的教授讨论了这个问题,这实际上让他很难堪。我最终找到了一种方法使这个数组能够工作,但我想强调的是,我提出的解决方案几乎只适用于这个作业。对于任何一个以类似p问题是,这种方法不仅杂乱无章,而且允许SQL注入,这应该避免
正如许多人在评论中提到的那样,问题在于我试图将字符串粘贴到char*数组中。我们提出的解决方法是将SQL命令中展开的变量直接添加到字符串变量中,如下所示:
string insertExpense = "INSERT INTO expenses(desc, price, satisf) VALUES ('" + saleDesc + "', "
""+ to_string(price) + ", " + to_string(satisf) + ")";
const char *line1 = insertExpense.c_str();
const char *pSQL[6];
pSQL[0] = "CREATE TABLE IF NOT EXISTS expenses(id INTEGER PRIMARY KEY "
"AUTOINCREMENT NOT NULL, logged TIMESTAMP DEFAULT "
"CURRENT_TIMESTAMP NOT NULL, desc VARCHAR(40), price REAL,"
"satisf INT)";
pSQL[1] = line1;
pSQL[2] = "SELECT * FROM expenses";
pSQL[3] = "SELECT sum(satisf) FROM expenses";
然后我们将该变量设为c_str,并将其分配给char*变量,如下所示:
string insertExpense = "INSERT INTO expenses(desc, price, satisf) VALUES ('" + saleDesc + "', "
""+ to_string(price) + ", " + to_string(satisf) + ")";
const char *line1 = insertExpense.c_str();
const char *pSQL[6];
pSQL[0] = "CREATE TABLE IF NOT EXISTS expenses(id INTEGER PRIMARY KEY "
"AUTOINCREMENT NOT NULL, logged TIMESTAMP DEFAULT "
"CURRENT_TIMESTAMP NOT NULL, desc VARCHAR(40), price REAL,"
"satisf INT)";
pSQL[1] = line1;
pSQL[2] = "SELECT * FROM expenses";
pSQL[3] = "SELECT sum(satisf) FROM expenses";
然后,我们简单地将这个char*变量直接分配到数组中的正确位置,如下所示:
string insertExpense = "INSERT INTO expenses(desc, price, satisf) VALUES ('" + saleDesc + "', "
""+ to_string(price) + ", " + to_string(satisf) + ")";
const char *line1 = insertExpense.c_str();
const char *pSQL[6];
pSQL[0] = "CREATE TABLE IF NOT EXISTS expenses(id INTEGER PRIMARY KEY "
"AUTOINCREMENT NOT NULL, logged TIMESTAMP DEFAULT "
"CURRENT_TIMESTAMP NOT NULL, desc VARCHAR(40), price REAL,"
"satisf INT)";
pSQL[1] = line1;
pSQL[2] = "SELECT * FROM expenses";
pSQL[3] = "SELECT sum(satisf) FROM expenses";
这个方法正确地生成SQL表,并用存储在各自变量中的正确语句填充它。我想再次强调,这个方法非常混乱和危险,对于任何有类似问题的人来说,使用准备好的语句可能是一个更好的主意,因为注释中的其他人已经注意到了这一点谢谢大家!你们不能这样使用char*
。是时候抛弃char*
,改用std::string
,甚至std::stringstream
(以便更轻松地创建SQL语句)接受用户输入并将其直接放入SQL语句是一个坏主意,但对于您的赋值来说,这并不重要。您应该过滤他们的输入。pSQL[1]允许SQL注入,并且语法无效。如果您想避免注入问题,请检查字符串也不起作用。请参见上文。如何“过滤”一个输入?这是我的第一个编程类,所以我对C++是相当新的,我们只是在上周才第一次查看SQL。