syntax error with insert statement

Question

I am using c/c++ with sqlite. My code shown below compiles but after I entered my password, I encountered this error.

    SQL error: near "NSERT": syntax error

I am unable to identify where exactly the syntax error is.

code

#include <stdio.h>
#include <stdlib.h>
#include <sqlite3.h> 
#include <string>
#include <iostream>


void insertIntoTable(std::string userName,std::string password);

int main () {
    std::string userName;
    std::string password;
    std::cout << "Enter a user name" << std::endl;
    std::cin >> userName;
    std::cout << "Enter a password" << std::endl;
    std::cin >> password
    insertIntoTable(userName,password);
} 

//method to insert into table
void insertIntoTable(std::string userName,std::string password) {
    sqlite3 *db;
    char *zErrMsg = 0;
    int  rc;
    const char *sql;
    int i = 1;
    int j = 1;

    rc = sqlite3_open("test.db", &db);
    if( rc )
    {
       fprintf(stderr, "Can't open database: %s\n", sqlite3_errmsg(db));
       exit(0);
    }else
    {
       fprintf(stderr, "Opened database successfully\n");
    }
   //query
   sql = "INSERT INTO Login (_id,username,password,manager_id) "  \
         "VALUES ("+i,userName,password,j+");"; 
}

Please help. thanks

Answer 1

sql = "INSERT INTO Login (_id,username,password,manager_id) "  \
      "VALUES ("+i,userName,password,j+");"; 

That is nonsense. You can't build strings by adding non-string values to a C-style character array or pointer; and the comma operator doesn't append a comma to the string, but instead discards the value of the previous expression after performing its side effects. This means that the whole expression is equivalent to

sql = "INSERT..." + i;

which adds the value of i (1) to the address of a string literal to get a pointer to the second character; so the overall result is NSERT INTO Login (_id,username,password,manager_id) VALUES (

You want to use std::string . In C++11, there are handy functions to convert numbers to strings:

std::string sql = "INSERT INTO Login (_id,username,password,manager_id) "
                  "VALUES (" + std::to_string(i) + ',' 
                             + userName + ','
                             + password + ',' 
                             + std::to_string(j) + ");";

Historically, you would need a string-stream

std::stringstream s;
s << "INSERT INTO Login (_id,username,password,manager_id) VALUES ("
  << i << ',' << userName << ',' << password << ',' << j << ");";
std::string sql = s.str();

Answer 2

All of these answers are terribly wrong. String interpolation for SQL query execution is the express train into injection land. There is no reason why you should ever use it.

The correct way is to use sqlite3_bind to bind values against placeholders in the prepared statement, ie the code should look like this:

sql = "INSERT INTO Login (_id,username,password,manager_id) "
      "VALUES (?, ?, ?, ?);";
sqlite3_stmt* stmt;
rc = sqlite3_prepare_v2(db, sql, strlen(sql), &stmt, nullptr);
// handle rc
// Now bind the parameters.
sqlite3_bind_int(stmt, 1, i);
sqlite3_bind_text(stmt, 2, userName.c_str(), userName.size(), SQLITE_TRANSIENT);
sqlite3_bind_text(stmt, 3, password.c_str(), password.size(), SQLITE_TRANSIENT);
sqlite3_bind_int(stmt, 4, j);
// Now execute.

Answer 3

Looks like you a problem with VALUES statement:

VALUES ("+i,userName,password,j+");";

should be

"VALUES ("+std::to_string(i)+","+userName+","+password+","+std::to_string(j)+");";

If you don't have std::to_string (no C++11) you need some other way to convert int to std::string, like stringstream.

Answer 4

I'm 80% sure this is how its supposed to be... not sure because its not pure SQL but.. yep

sql = "INSERT INTO `Login` (`_id`, `username`, `password`, `manager_id`) "  \
     "VALUES ("+i+", '"+userName+"', '"+password+"', "+j+");"; 

Answer 5

You can not build strings like this..

You have two options.. use std::string and form a string using + operator . Or if you would like to pursue with char* then use code below

char *sql = malloc (NumberOfCharYouNeed); //allocate sufficient chars for your purpose.

sprintf (sql, "INSERT INTO Login (_id,username,password,manager_id) VALUES (\"+%d%s%s%d+\")",i,userName,password,j);

Note: Make sure you free(sql) after your use.