I found a bug in the program in QString
-
QString sql = QString("SELECT ComName FROM ComInfo WHERE ComCode LIKE \'%%1%\' LIMIT %2 OFFSET %3").arg("0107").arg(50).arg(0); qDebug()<<"sql:"<<sql;The above code returns the output:
The first '% 'and' 0107 'in' '%%1%' 'work so that the original '% 1' should have been replaced by 5007 with 0107 times, that is, the second replaced by 50 times the 01 part, and the second '% 2 'replaced the 0 which should have been the third one.
2 Solutions
Set 'LIMIT %2 OFFSET %3' as a Qstring and then splicing it together.
Such as:QString sql = QString("SELECT ComName FROM ComInfo WHERE ComCode LIKE \'%%1%\'").arg("0107") + QString(" LIMIT %2 OFFSET %3").arg(50).arg(0); -
Ummm...you probably need to escape the (%) that you don't intend to substitute.
-
It's not a bug, it works as intended and documented.
Don't build your query this way to avoid sql injection. Use prepared query and bind values. -
@Christian-Ehrlicher said in I found a bug in the program in QString:
Don't build your query this way to avoid sql injection.
Can't stress enough how important this is.
In other use cases, to avoid that "bug" you can use this version of arg:
QStringLiteral("\'%%1%\' LIMIT %2 OFFSET %3").arg(QStringLiteral("0107"),QStringLiteral("50"),QStringLiteral("0"));
