的NSString stringWithFormat事与愿违的结果

NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%Y',startDate)",ID,date]);

，但它打印对我说：

sql = select * from Table1 Where ID = 1 AND '2012' = strftime('Y',startDate)

％Y变成Y，我怎么能避免这种情况？

2012-01-11 Streetboy

仅供参考，这是真的容易注入攻击。我只需要这样做：date = @“'; drop table Table1; - ”; * *您的数据已经消失。 – 2012-01-11 17:02:59

添加另一个%逃离%字符：

NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);

2012-01-11 16:05:01 jlehr

添加％这样NSLog(@"sql = %@",[NSString stringWithFormat:@"select * from Table1 Where ID = %i AND '%@' = strftime('%%Y',startDate)",ID,date]);

2012-01-11 16:04:31 phi

回答