Re: [sqlite] UPDATE database using parameters

On 7/22/17, 1:46 AM, "sqlite-users on behalf of Keith Medcalf" wrote: > Not very well. How do you think "drive by downloads" work? Javascript in > browsers is the most dangerous thing ever invented! I think the

Re: [sqlite] UPDATE database using parameters

On Friday, 21 July, 2017 20:05, Jens Alfke said: >> On Jul 21, 2017, at 1:01 PM, Keith Medcalf >> wrote: >> Just using a web browser has your machine executing god only knows >> what code generated by god only knows who doing god only knows what >> to

Re: [sqlite] UPDATE database using parameters

> On Jul 21, 2017, at 1:01 PM, Keith Medcalf wrote: > > Just using a web browser has your machine executing god only knows what code > generated by god only knows who doing god only knows what to your computer. > Unless you have disabled that, of course. But that makes

Re: [sqlite] UPDATE database using parameters

On Friday, 21 July, 2017 11:37, Jens Alfke wrote: > But anyone writing software that runs in a web server, > or that otherwise interacts with untrusted data, has to > pay attention to basic security practices. > And a fundamental one is that you don’t run code that >

Re: [sqlite] UPDATE database using parameters

> On Jul 21, 2017, at 9:48 AM, John McKown wrote: > > ​And, just to interject a politically incorrect statement, any "programmer" > who does not use the safer interface is either __extremely__ ignorant, or > arrogantly stupid I wouldn’t put it that harshly, but I

Re: [sqlite] UPDATE database using parameters

> On Jul 21, 2017, at 6:45 AM, Peter Da Silva > wrote: > > Have a look at prepared statements and statement parameters. Agreed. PLEASE, PLEASE, do not try to splice parameters into SQL strings! Any mistakes in this code leave you vulnerable to SQL Injection

Re: [sqlite] UPDATE database using parameters

Using a straight PHP-level substitution like that performs the substitution before the SQL parser sees it. It’s also super dangerous if you’re not absolutely sure there’s no path for an untrusted agent to inject the name you’re selecting on. https://xkcd.com/327/ On 7/21/17, 3:42 AM,

Re: [sqlite] UPDATE database using parameters

Have a look at prepared statements and statement parameters. Also, if you’re quoting strings you should use single quotes rather than double quotes. Double quotes just override the tokenizer, the result is still untyped and technically an identifier (the tokenizer actually marks it as TK_ID)

Re: [sqlite] UPDATE database using parameters

On 21 Jul 2017, at 11:14, Rowan Worth wrote: > On 21 July 2017 at 17:50, Tim Streater wrote: > >>$sql = "UPDATE Movies SET name = '$newname' where id=$newid"; >> >> Personally I don't like forcing PHP to scan strings so I tend to use >> concatentation,

Re: [sqlite] UPDATE database using parameters

On 21 July 2017 at 17:50, Tim Streater wrote: >$sql = "UPDATE Movies SET name = '$newname' where id=$newid"; > > Personally I don't like forcing PHP to scan strings so I tend to use > concatentation, rewriting the last of these as: > >$sql = 'UPDATE Movies SET name

Re: [sqlite] UPDATE database using parameters

On 21 Jul 2017 at 10:04, Edmondo Borasio wrote: > Hi Tim. > > It *almost* works.. > >$DbItemNameTest = "new name"; >$hIdTest = "1"; > >$db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest . > '\' WHERE hospital_ID="1"'); //IT WORKS >

Re: [sqlite] UPDATE database using parameters

On 21 Jul 2017 at 09:58, Simon Slavin wrote: > On 21 Jul 2017, at 7:33am, Edmondo Borasio wrote: > >> $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"'); > > Those are the wrong quotes. SQLite requires single quotes around literal >

Re: [sqlite] UPDATE database using parameters

Hi Tim. It *almost* works.. $DbItemNameTest = "new name"; $hIdTest = "1"; $db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest . '\' WHERE hospital_ID="1"'); //IT WORKS $db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest . '\' WHERE hospital_ID=' .

Re: [sqlite] UPDATE database using parameters

On 21 Jul 2017, at 7:33am, Edmondo Borasio wrote: > $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"'); Those are the wrong quotes. SQLite requires single quotes around literal strings, and expects no quote around numbers. And PHP doesn’t care which

Re: [sqlite] UPDATE database using parameters

Hi and thanks for your email. I am using PHP with SQLite on an Apache server. That statement was taken from some advice I got from a forum. I wasn't aware it was MySQL. I am new to SQLite and this is my first database. *"Table/column names cannot use parameters. You have to put it directly*

Re: [sqlite] UPDATE database using parameters

On 21 Jul 2017 at 07:33, Edmondo Borasio wrote: > I am updating a record of a SQLite database as follows: > > $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"'); > > but instead of using name and ID I want to use some variables, $NewItemName > and $hId. > >

Re: [sqlite] UPDATE database using parameters

Edmondo Borasio wrote: > $stmt->bind_param($p_name,$bind_value); This looks like PHP's MySQL driver. Which DB are you actually using? Anyway, I recommend you start with the examples from the manual, e.g., : $stmt = $db->prepare('SELECT

Re: [sqlite] UPDATE database using parameters

Hi Thanks but it doesn't work. It's weird because the following works: $db->exec('UPDATE Anagrafica SET name = "new name" WHERE hID="1"'); //WORKS But this doesn't: $p_name ="new name"; $bind_value = "1"; $stmt = $conn->prepare('UPDATE Anagrafica SET name=? WHERE hID=?');

Re: [sqlite] UPDATE database using parameters

On Fri Jul 21, 2017 at 06:33:55AM +, Edmondo Borasio wrote: > I am updating a record of a SQLite database as follows: > > $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"'); > > but instead of using name and ID I want to use some variables, $NewItemName > and $hId. > > Entering