1
我要讓SQL SELECT一句話是這樣的:的NSString stringWithFormat事與願違的結果
NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%Y',startDate)",ID,date]);
,但它打印對我說:
sql = select * from Table1 Where ID = 1 AND '2012' = strftime('Y',startDate)
%Y變成Y,我怎麼能避免這種情況?
僅供參考,這是真的容易注入攻擊。我只需要這樣做:date = @「'; drop table Table1; - 」; * *您的數據已經消失。 – 2012-01-11 17:02:59