Sending SQL to SQLite
The PHP function sqlite_exec() sends an SQL statement to the database. As the first parameter, the database handlereturned by sqlite_open()is used; the second parameter is the SQL string. To avoid SQL injection, the PHP function sqlite_escape_string() escapes dangerous characters in dynamic data. The preceding code implements this for the sample table quotes that has also been used in the MySQL phrases.
Sending SQL to SQLite (sqlite_exec.php; excerpt)
<?php
if ($db = @sqlite_open('quotes.db', 0666, $error))
{
require_once 'stripFormSlashes.inc.php';
sqlite_exec($db, sprintf(
'INSERT INTO quotes (quote, author, year)
VALUES (\'%s\', \'%s\', \'%s\')',
sqlite_escape_string($_POST['quote']),
sqlite_escape_string($_POST['author']),
intval($_POST['year'])));
echo 'Quote saved.';
sqlite_close($db);
} else {
echo 'Connection failed: ' . htmlspecialchars
($error);
}
?>
If a table contains an identity column (data type INTEGER PRIMARY KEY when using SQLite), calling sqlite_last_insert_rowid() after sending an SQL statement returns the value this column has for the new entry in the database. |
|