The PHP function sqlite_exec() sends an SQL statement to the database. As the first parameter, the database handlereturned by sqlite_open()is used; the second parameter is the SQL string. To avoid SQL injection, the PHP function sqlite_escape_string() escapes dangerous characters in dynamic data. The preceding code implements this for the sample table quotes that has also been used in the MySQL phrases. Sending SQL to SQLite (sqlite_exec.php; excerpt) <?php if ($db = @sqlite_open('quotes.db', 0666, $error)) { require_once 'stripFormSlashes.inc.php'; sqlite_exec($db, sprintf( 'INSERT INTO quotes (quote, author, year) VALUES (\'%s\', \'%s\', \'%s\')', sqlite_escape_string($_POST['quote']), sqlite_escape_string($_POST['author']), intval($_POST['year']))); echo 'Quote saved.'; sqlite_close($db); } else { echo 'Connection failed: ' . htmlspecialchars ($error); } ?> TIP If a table contains an identity column (data type INTEGER PRIMARY KEY when using SQLite), calling sqlite_last_insert_rowid() after sending an SQL statement returns the value this column has for the new entry in the database. |
|