1. 首頁
  2. 問答
  3. 的NSString stringWithFormat事與願違的結果

的NSString stringWithFormat事與願違的結果

2012-01-11 53 views
1

我要讓SQL SELECT一句話是這樣的:的NSString stringWithFormat事與願違的結果

NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%Y',startDate)",ID,date]);

,但它打印對我說:

sql = select * from Table1 Where ID = 1 AND '2012' = strftime('Y',startDate)

%Y變成Y,我怎麼能避免這種情況?

來源

2012-01-11 Streetboy

+1

僅供參考,這是真的容易注入攻擊。我只需要這樣做:date = @「'; drop table Table1; - 」; * *您的數據已經消失。 – 2012-01-11 17:02:59

回答

4

添加另一個%逃離%字符:

NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);

來源

2012-01-11 16:05:01 jlehr

1

添加%這樣NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);

來源

2012-01-11 16:04:31 phi

相關問題

 相關問題