While building a Search for my app i ran into a problem whilst using the FMDB SQLite Wrapper (https://github.com/ccgus/fmdb).

在为我的应用程序构建搜索时，我在使用 FMDB SQLite Wrapper (https://github.com/ccgus/fmdb) 时遇到了问题。

When I search my database with this SQL Command, everything is fine. 13 objects are returned and I can use them.

当我用这个 SQL 命令搜索我的数据库时，一切都很好。返回了 13 个对象，我可以使用它们。

FMResultSet *rs = [db executeQuery:@"SELECT * FROM ZARTICLE WHERE ZTITLEDE LIKE '%Daimler%'"];

But when i try to insert the searchQuery from the User Input like this:

但是当我尝试像这样从用户输入插入 searchQuery 时：

FMResultSet *rs = [db executeQuery:@"SELECT * FROM ZARTICLE WHERE ZTITLEDE LIKE (?)", theSearchQuery];

... the value is dont be inserted into SQL Command. And I dont get any returned objects from the DB. even if the String (theSearchQuery) is the same written in the first example.

...该值不会被插入到 SQL 命令中。而且我没有从数据库中得到任何返回的对象。即使字符串 (theSearchQuery) 与第一个示例中编写的相同。

Additionaly I post a part from the documentation of FMDB for your convinience. :)

另外，为了您的方便，我从 FMDB 的文档中发布了一部分。:)

Data Sanitization

When providing a SQL statement to FMDB, you should not attempt to "sanitize" any values before insertion. Instead, you should use the standard SQLite binding syntax:

向 FMDB 提供 SQL 语句时，不应尝试在插入前“清理”任何值。相反，您应该使用标准的 SQLite 绑定语法：

INSERT INTO myTable VALUES (?, ?, ?) The ? character is recognized by SQLite as a placeholder for a value to be inserted. The execution methods all accept a variable number of arguments (or a representation of those arguments, such as an NSArray or a va_list), which are properly escaped for you.

INSERT INTO myTable VALUES (?, ?, ?) ? SQLite 将字符识别为要插入的值的占位符。执行方法都接受可变数量的参数（或这些参数的表示形式，例如 NSArray 或 va_list），这些参数已为您正确转义。

Thus, you SHOULD NOT do this (or anything like this):

因此，您不应该这样做（或类似的事情）：

[db executeUpdate:[NSString stringWithFormat:@"INSERT INTO myTable VALUES (%@)", @"this has \" lots of ' bizarre \" quotes '"]]; Instead, you SHOULD do:

[db executeUpdate:[NSString stringWithFormat:@"INSERT INTO myTable VALUES (%@)", @"this has \"很多'奇怪的\"引号'"]]; 相反，你应该：

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", @"this has \" lots of ' bizarre \" quotes '"]; All arguments provided to the -executeUpdate: method (or any of the variants that accept a va_list as a parameter) must be objects. The following will not work (and will result in a crash):

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", @"this has \"很多'奇怪的\"引号'"]; 提供给 -executeUpdate: 方法（或任何接受 va_list 作为参数的变体）的所有参数都必须是对象。以下将不起作用（并会导致崩溃）：

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", 42]; The proper way to insert a number is to box it in an NSNumber object:

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", 42]; 插入数字的正确方法是将其装箱到 NSNumber 对象中：

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", [NSNumber numberWithInt:42]]; Alternatively, you can use the -execute*WithFormat: variant to use NSString-style substitution:

[db executeUpdate:@"INSERT INTO myTable VALUES (?)", [NSNumber numberWithInt:42]]; 或者，您可以使用 -execute*WithFormat: 变体来使用 NSString 样式的替换：

[db executeUpdateWithFormat:@"INSERT INTO myTable VALUES (%d)", 42]; Internally, the -execute*WithFormat: methods are properly boxing things for you. The following percent modifiers are recognized: %@, %c, %s, %d, %D, %i, %u, %U, %hi, %hu, %qi, %qu, %f, %g, %ld, %lu, %lld, and %llu. Using a modifier other than those will have unpredictable results. If, for some reason, you need the % character to appear in your SQL statement, you should use %%.

[db executeUpdateWithFormat:@"INSERT INTO myTable VALUES (%d)", 42]; 在内部， -execute*WithFormat: 方法为您正确装箱。识别以下百分比修饰符：%@、%c、%s、%d、%D、%i、%u、%U、%hi、%hu、%qi、%qu、%f、%g、% ld、%lu、%lld 和 %llu。使用除这些之外的修饰符将产生不可预测的结果。如果出于某种原因，您需要 % 字符出现在您的 SQL 语句中，您应该使用 %%。