的NSString stringWithFormat事与愿违的结果
问题描述:
我要让SQL SELECT一句话是这样的:的NSString stringWithFormat事与愿违的结果
NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%Y',startDate)",ID,date]);
,但它打印对我说:
sql = select * from Table1 Where ID = 1 AND '2012' = strftime('Y',startDate)
%Y变成Y,我怎么能避免这种情况?
答
添加另一个%
逃离%
字符:
NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);
答
添加%这样NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);
仅供参考,这是真的容易注入攻击。我只需要这样做:date = @“'; drop table Table1; - ”; * *您的数据已经消失。 – 2012-01-11 17:02:59