Storing Data in SQLite

Is there a way to store TEXT in SQLite database without SQLite trying to parse it? Ran into a problem where when you store TEXT that is similar to SQLite query, it tries to parse it for some reason.

Query I use to save TEXT: "insert into tableName (Name, DateCreated, Reminder, Content) values ('name', 'currentDate', 'reminder', 'content')".

Similar text I'm trying to save: "SELECT NAME FROM sqlite_master WHERE TYPE='table' ORDER BY NAME".

When i try to save something like that, it says: Error: SQL logic error or missing database near "table":syntax error

Please note that values (name, currentDate, reminder, content) are not hard coded, they are passed as strings. actual code is like below:

SQLiteCommand command = new SQLiteCommand("insert into " + cateName + " (Name, DateCreated, Reminder, Content) values ('" + noteName + "', '" + currentDate + "', '" + reminder + "', '" + content + "')", connection);

Thanks for any input.

Jon Skeet
people
quotationmark

As I suspect, the problem is that you're putting your values directly into the SQL - without even trying to escape them. Don't do that. As well as the problems you're seeing, you've opened yourself up to a SQL injection attack. Use parameterized SQL instead, and specify values for the parameters.

For example:

// It's not clear what cateName is, but I'll assume *that* bit is valid...
string sql = new SQLiteCommand("insert into " + cateName +
     " (Name, DateCreated, Reminder, Content) values " +
     "(@Name, @DateCreated, @Reminder, @Content)");

using (var command = new SQLiteCommand(sql, connection))
{
    command.Parameters.Add("@Name", SQLiteType.Text).Value = noteName;
    command.Parameters.Add("@DateCreated", SQLiteType.DateTime).Value = currentDate;
    command.Parameters.Add("@Reminder", SQLiteType.Text).Value = reminder;
    command.Parameters.Add("@Content", SQLiteType.Text).Value = content;
    command.ExecuteNonQuery();
}

people

See more on this question at Stackoverflow