The third parameter of sqlite3_prepare16
must be the length of the statement, in bytes.
However, sizeof(update)
is the size of the update
variable, which is just a pointer, which happens to have the same size as two characters.
You have to give either the actual length (which was already computed by swprintf
), or just -1.
Please note that this will still blow up when the name contains a quote. You should use parameters to avoid such formatting problems:
void update_name(int row, wchar_t* name)
{
const wchar_t* update = L"UPDATE mytable SET name=? WHERE id=?";
sqlite3_stmt *stmt;
// error handling is missing
sqlite3_prepare16(sqdb, update, -1, &stmt, 0);
sqlite3_bind_text16(stmt, 1, name, -1, SQLITE_STATIC);
sqlite3_bind_int(stmt, 2, row);
sqlite3_step(stmt);
sqlite3_finalize(stmt);
}