Re: [sqlite] UPDATE database using parameters

2017-07-24 Thread Peter Da Silva 
On 7/22/17, 1:46 AM, "sqlite-users on behalf of Keith Medcalf" 
 
wrote:
> Not very well.  How do you think "drive by downloads" work?  Javascript in 
> browsers is the most dangerous thing ever invented!

I think the caps-lock key gives it a run for its money.
 

___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-22 Thread Keith Medcalf 

On Friday, 21 July, 2017 20:05, Jens Alfke  said:
>> On Jul 21, 2017, at 1:01 PM, Keith Medcalf 
>> wrote:

>> Just using a web browser has your machine executing god only knows
>> what code generated by god only knows who doing god only knows what
>> to your computer.  Unless you have disabled that, of course.  But
>> that makes the web almost completely unuseable

>Well, JavaScript is sandboxed. And I think most people would take
>issue with the assertion that the web is unusable.

Not very well.  How do you think "drive by downloads" work?  Javascript in 
browsers is the most dangerous thing ever invented!

So, if you have disabled Javascript entirely the Web is *not* almost completely 
unuseable?  You must only visit websites run by the competent, because 90% of 
the web sites visited will be completely blank if Javascript is disabled.  
Google even displays the message "Once you remove all the malware, nothing 
remains".

>> And people who use squirrily quotes should fix their email client …

>“These”?  They're true quotation marks. The straight kind was only
>invented later, for typewriters, just to save a key; they’ve never
>been acceptable in anything but typewritten documents. (The early
>typewriters also didn’t have a “1” because you could use a lowercase
>“l”, or a “0” because you could use an “O”. That got remedied later,
>but they kept the ugly quotes.)

Nonetheless.  If you permit your email client to use squirrily quotes then 
anything that you type in a message cannot be cut and pasted into any "normal" 
software, command prompt, client, or programming language source file without 
having to have the quotes all fixed up.  Same with replacing -- with an em-dash.

And no, the squirrily quotes are typeset quotes.  They are meant for typeset 
publications.  Computer code is not a typesetting application.




___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Jens Alfke 

> On Jul 21, 2017, at 1:01 PM, Keith Medcalf  wrote:
> 
> Just using a web browser has your machine executing god only knows what code 
> generated by god only knows who doing god only knows what to your computer.  
> Unless you have disabled that, of course.  But that makes the web almost 
> completely unuseable

Well, JavaScript is sandboxed. And I think most people would take issue with 
the assertion that the web is unusable.

> And people who use squirrily quotes should fix their email client …

“These”?  They're true quotation marks. The straight kind was only invented 
later, for typewriters, just to save a key; they’ve never been acceptable in 
anything but typewritten documents. (The early typewriters also didn’t have a 
“1” because you could use a lowercase “l”, or a “0” because you could use an 
“O”. That got remedied later, but they kept the ugly quotes.)

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Keith Medcalf 
On Friday, 21 July, 2017 11:37, Jens Alfke  wrote:

> But anyone writing software that runs in a web server, 
> or that otherwise interacts with untrusted data, has to 
> pay attention to basic security practices. 

> And a fundamental one is that you don’t run code that 
> some untrusted person sent you. 

But most people do this all the time.  Just using a web browser has your 
machine executing god only knows what code generated by god only knows who 
doing god only knows what to your computer.  Unless you have disabled that, of 
course.  But that makes the web almost completely unuseable because it is full 
of stupid sluggard Johhny-cum-lately web designers who pull in third-party crap 
from god only knows where (since only their victims run it, they do not run it 
themselves).  There is a very small subset of people who take action against 
such stupidity.  I used to complain but these people are utter morons with 
abysmal IQs and do not grok the problem -- so there is not much point in that.  
Now I simply refuse to deal with companies that pull such shenanigans and tell 
them why I will never do business with them.

> Anyone who doesn’t hear alarm bells going off when 
> they see code like 
> “UPDATE students set name=$FORM_DATA …” 
> really shouldn’t be writing this sort of software. 

And people who use squirrily quotes should fix their email client ...

> (And it gets worse than this. A major attack on Wordpress 
> and other PHP apps about ten years ago, that caused a lot 
> of damage worldwide, was triggered by some bozo using PHP’s 
> “eval()” function inside an XMLRPC library.)

You don't need to look that far.  I am sure there was at least ten new 
vulnerabilities discovered yesterday that fall into this category.  And just 
for WordPress.

—Jens




___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Jens Alfke 

> On Jul 21, 2017, at 9:48 AM, John McKown  wrote:
> 
> ​And, just to interject a politically incorrect statement, any "programmer"
> who does not use the safer interface is either __extremely__ ignorant,  or
> arrogantly stupid

I wouldn’t put it that harshly, but I agree in spirit. If you’re just learning 
an API and experimenting on your own, it’s understandable that you’ll overlook 
parts of it, or miss best practices, and make mistakes. If that causes crashes 
or problems on your computer, well, that’s part of learning. We all do that.

But anyone writing software that runs in a web server, or that otherwise 
interacts with untrusted data, has to pay attention to basic security 
practices. And a fundamental one is that you don’t run code that some untrusted 
person sent you. SQL statements are code. So incorporating user input into a 
string and then telling a SQL database to evaluate that string is incredibly 
unsafe. 

Anyone who doesn’t hear alarm bells going off when they see code like “UPDATE 
students set name=$FORM_DATA …” really shouldn’t be writing this sort of 
software. (And it gets worse than this. A major attack on Wordpress and other 
PHP apps about ten years ago, that caused a lot of damage worldwide, was 
triggered by some bozo using PHP’s “eval()” function inside an XMLRPC library.)

It’s like: if you want to fool around with gears and pulleys and learn 
mechanics in your home workshop, awesome! But if you’re going to build an 
elevator for my 20-story apartment building, I really want you to have a solid 
knowledge of structural engineering and safety practices, so you don’t do 
something ignorant and get people killed.

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Jens Alfke 

> On Jul 21, 2017, at 6:45 AM, Peter Da Silva  
> wrote:
> 
> Have a look at prepared statements and statement parameters.

Agreed.

PLEASE, PLEASE, do not try to splice parameters into SQL strings! Any mistakes 
in this code leave you vulnerable to SQL Injection Attacks, which are 
depressingly common and cause great damage in the real world. (Some of the 
examples already posted in this thread contain such mistakes…)

SQLite, like every other SQL database I know of, has APIs that let you safely 
plug runtime parameters into statements without having to do string 
concatenation or quoting or sanitization. The resulting code is safe, more 
readable, and as a bonus it’s faster because the database only has to compile 
and optimize the statement once, no matter how many times it runs.

—Jens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Peter Da Silva 
Using a straight PHP-level substitution like that performs the substitution 
before the SQL parser sees it. It’s also super dangerous if you’re not 
absolutely sure there’s no path for an untrusted agent to inject the name 
you’re selecting on.

https://xkcd.com/327/

On 7/21/17, 3:42 AM, "sqlite-users on behalf of Edmondo Borasio" 
 wrote:

Hi and thanks for your email.

I am using PHP with SQLite on an Apache server.
That statement was taken from some advice I got from a forum.  I wasn't
aware it was MySQL.
I am new to SQLite and this is my first database.

*"Table/column names cannot use parameters.  You have to put it directly*
*into the string:"*

I guess however there must be a way, because for example with SELECT it
works.
The query below works perfectly using variables:

$results = $db->query("SELECT \"$DbItemName\" FROM Anagrafica WHERE
hID=\"$hId\"")->fetchArray();

Cheers

Edmondo


On Fri, 21 Jul 2017 at 12:24, Clemens Ladisch  wrote:

> Edmondo Borasio wrote:
> > $stmt->bind_param($p_name,$bind_value);
>
> This looks like PHP's MySQL driver.  Which DB are you actually using?
>
> Anyway, I recommend you start with the examples from the manual, e.g.,
> :
>
>   $stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
>   $stmt->bindValue(':id', 1, SQLITE3_INTEGER);
>   $result = $stmt->execute();
>
> > I would also need to take the parameter "name" of "SET name" from a
> variable
>
> Table/column names cannot use parameters.  You have to put it directly
> into the string:
>
>   $sql = "UPDATE Anagrafica SET ".$col." = ..."
>
>
> Regards,
> Clemens
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Peter Da Silva 
Have a look at prepared statements and statement parameters.

Also, if you’re quoting strings you should use single quotes rather than double 
quotes. Double quotes just override the tokenizer, the result is still untyped 
and technically an identifier (the tokenizer actually marks it as TK_ID) until 
the parser disambiguates it. This can lead to unexpected results.

On 7/21/17, 1:34 AM, "sqlite-users on behalf of Edmondo Borasio" 
 wrote:

I am updating a record of a SQLite database as follows:

$db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');

but instead of using name and ID I want to use some variables, $NewItemName
 and $hId.

Entering the variables as they are won't work. Neither using escape
characters like \"$DbItemName\" and \"$hId\".

Any idea of the right syntax pls?
-- 
Dr Edmondo Borasio, MedC BQ Ophth, FEBO
Consultant Ophthalmologist
Specialised in Cornea, Cataract & Laser Refractive Surgery

Head of Corneal and Refractive Surgery Department
Burjeel Hospital
Abu Dhabi, UAE
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users


___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Tim Streater 
On 21 Jul 2017, at 11:14, Rowan Worth  wrote:

> On 21 July 2017 at 17:50, Tim Streater  wrote:
>
>>$sql = "UPDATE Movies SET name = '$newname' where id=$newid";
>>
>> Personally I don't like forcing PHP to scan strings so I tend to use
>> concatentation, rewriting the last of these as:
>>
>>$sql = 'UPDATE Movies SET name = '' . $newname . '' where id=' .
>> $newid;
>>
>> but that's just a personal style preference.
>>
>
> Either way, I hope for your sake no one releases a movie called:
> Avengers!'; Drop Table Movies; --

That’s going to be a problem anyway if your strings can legally contain 
single-quotes, never mind little Bobby Tables. Sanitisation is called for.

> As Simon says, better to use something like $sql = 'UPDATE Movies SET name
> = ? WHERE id = ?' and bind your parameters in.

Not disagreeing, but I was operating on the first-things-first principle.


--
Cheers  --  Tim
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Rowan Worth 
On 21 July 2017 at 17:50, Tim Streater  wrote:

>$sql = "UPDATE Movies SET name = '$newname' where id=$newid";
>
> Personally I don't like forcing PHP to scan strings so I tend to use
> concatentation, rewriting the last of these as:
>
>$sql = 'UPDATE Movies SET name = \'' . $newname . '\' where id=' .
> $newid;
>
> but that's just a personal style preference.
>

Either way, I hope for your sake no one releases a movie called:
Avengers!'; Drop Table Movies; --

;)

As Simon says, better to use something like $sql = 'UPDATE Movies SET name
= ? WHERE id = ?' and bind your parameters in.
-Rowan
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Tim Streater 
On 21 Jul 2017 at 10:04, Edmondo Borasio  wrote: 

> Hi Tim.
>
> It *almost* works..
>
>$DbItemNameTest = "new name";
>$hIdTest = "1";
>
>$db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest .
> '\' WHERE hospital_ID="1"'); //IT WORKS
>   $db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest . '\'
> WHERE hospital_ID=' . $hIdTest); //IT DOESN'T WORK
>
> The second one doesn't work even if I change hIdTest to integer.
>
>$hIdTest = 1;

Well, is hospital_ID stored in your database as a string or as an integer?

If it's an integer, then having $hIdTest as an integer should work. If it's a 
string you would leave $hIdTest as a string and change the sql to:

   ... WHERE hospital_ID=\'' . $hIdTest . '\'');

(I know SQLite can be cleverer than that in doing conversions but I've tried 
never to rely on that so am unfamiliar with it)

--
Cheers  --  Tim
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Tim Streater 
On 21 Jul 2017 at 09:58, Simon Slavin  wrote: 

> On 21 Jul 2017, at 7:33am, Edmondo Borasio  wrote:
>
>> $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');
>
> Those are the wrong quotes.  SQLite requires single quotes around literal
> strings, and expects no quote around numbers.  And PHP doesn’t care which
> quotes you use as long as they match.

Actually PHP does care. It will not look inside single quoted strings for 
special escaped characters or variables for which to substitute values. It 
*will* do so for double-quoted strings.

So:

   echo 'Hello\n';

will not do the same thing as:

   echo "Hello\n";

The latter will put out a newline at the end of Hello whereas the former will 
put out two characters (\ and n).

Similarly, variable substitution will not happen here:

   $sql = 'UPDATE Movies SET name = $newname where id=$newid';

but will do here:

   $sql = "UPDATE Movies SET name = $newname where id=$newid";

So PHP is happy, but SQLite is not - you'd need:

   $sql = "UPDATE Movies SET name = '$newname' where id=$newid";

Personally I don't like forcing PHP to scan strings so I tend to use 
concatentation, rewriting the last of these as:

   $sql = 'UPDATE Movies SET name = \'' . $newname . '\' where id=' . $newid;

but that's just a personal style preference.

--
Cheers  --  Tim
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Edmondo Borasio 
Hi Tim.

It *almost* works..

$DbItemNameTest = "new name";
$hIdTest = "1";

$db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest .
'\' WHERE hospital_ID="1"'); //IT WORKS
   $db->exec ('UPDATE Anagrafica SET name = \'' . $DbItemNameTest . '\'
WHERE hospital_ID=' . $hIdTest); //IT DOESN'T WORK

The second one doesn't work even if I change hIdTest to integer.

$hIdTest = 1;

Any suggestions pls?

Cheers



On 21 July 2017 at 12:35, Tim Streater  wrote:

> On 21 Jul 2017 at 07:33, Edmondo Borasio  wrote:
>
> > I am updating a record of a SQLite database as follows:
> >
> > $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');
> >
> > but instead of using name and ID I want to use some variables,
> $NewItemName
> > and $hId.
> >
> > Entering the variables as they are won't work. Neither using escape
> > characters like \"$DbItemName\" and \"$hId\".
>
> It would help if you said what language you are using.
>
> In PHP, one could do this:
>
>   $db->exec ('UPDATE Movies SET name = \'' . $DbItemName . '\' WHERE ID='
> . $hId);
>
> or perhaps:
>
>   $db->exec ("UPDATE Movies SET name = '$DbItemName' WHERE ID=$hId");
>
>
> --
> Cheers  --  Tim
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Simon Slavin 
On 21 Jul 2017, at 7:33am, Edmondo Borasio  wrote:

> $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');

Those are the wrong quotes.  SQLite requires single quotes around literal 
strings, and expects no quote around numbers.  And PHP doesn’t care which 
quotes you use as long as they match.  Correct line should be as follows:

$db->exec("UPDATE Movies SET name = 'new movie' WHERE ID=4");

>   $stmt = $conn->prepare('UPDATE Anagrafica SET name=? WHERE hID=?');

Use named parameters.  See the example on this page instead:



so something like

$stmt = $conn->prepare("UPDATE Anagrafica SET name=:name WHERE 
hID=:hid");
$stmt->bindValue(":name", $DbItemName, SQLITE3_TEXT);
$stmt->bindValue(":hid", $hId, SQLITE3_INTEGER);

If speed is an issue then you can use numbers for the first parameter, but that 
makes your code less easy to read.

Also, make sure you are using the SQLite3 driver, not the standard PDO one.  So 
you should be doing

$conn = new SQLite3("path goes here");

You can get away with using the wrong quotes in PHP in some circumstances, but 
not others, which makes debugging the wrong case extremely difficult.  Better 
to use the right quotes throughout your code even when the wrong ones work.

Simon.
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Edmondo Borasio 
Hi and thanks for your email.

I am using PHP with SQLite on an Apache server.
That statement was taken from some advice I got from a forum.  I wasn't
aware it was MySQL.
I am new to SQLite and this is my first database.

*"Table/column names cannot use parameters.  You have to put it directly*
*into the string:"*

I guess however there must be a way, because for example with SELECT it
works.
The query below works perfectly using variables:

$results = $db->query("SELECT \"$DbItemName\" FROM Anagrafica WHERE
hID=\"$hId\"")->fetchArray();

Cheers

Edmondo


On Fri, 21 Jul 2017 at 12:24, Clemens Ladisch  wrote:

> Edmondo Borasio wrote:
> > $stmt->bind_param($p_name,$bind_value);
>
> This looks like PHP's MySQL driver.  Which DB are you actually using?
>
> Anyway, I recommend you start with the examples from the manual, e.g.,
> :
>
>   $stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
>   $stmt->bindValue(':id', 1, SQLITE3_INTEGER);
>   $result = $stmt->execute();
>
> > I would also need to take the parameter "name" of "SET name" from a
> variable
>
> Table/column names cannot use parameters.  You have to put it directly
> into the string:
>
>   $sql = "UPDATE Anagrafica SET ".$col." = ..."
>
>
> Regards,
> Clemens
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Tim Streater 
On 21 Jul 2017 at 07:33, Edmondo Borasio  wrote: 

> I am updating a record of a SQLite database as follows:
>
> $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');
>
> but instead of using name and ID I want to use some variables, $NewItemName
> and $hId.
>
> Entering the variables as they are won't work. Neither using escape
> characters like \"$DbItemName\" and \"$hId\".

It would help if you said what language you are using.

In PHP, one could do this:

  $db->exec ('UPDATE Movies SET name = \'' . $DbItemName . '\' WHERE ID=' . 
$hId);

or perhaps:

  $db->exec ("UPDATE Movies SET name = '$DbItemName' WHERE ID=$hId");


--
Cheers  --  Tim
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Clemens Ladisch 
Edmondo Borasio wrote:
> $stmt->bind_param($p_name,$bind_value);

This looks like PHP's MySQL driver.  Which DB are you actually using?

Anyway, I recommend you start with the examples from the manual, e.g.,
:

  $stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
  $stmt->bindValue(':id', 1, SQLITE3_INTEGER);
  $result = $stmt->execute();

> I would also need to take the parameter "name" of "SET name" from a variable

Table/column names cannot use parameters.  You have to put it directly
into the string:

  $sql = "UPDATE Anagrafica SET ".$col." = ..."


Regards,
Clemens
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread Edmondo Borasio 
Hi Thanks but it doesn't work.

It's weird because the following works:

$db->exec('UPDATE Anagrafica SET name = "new name" WHERE hID="1"');
//WORKS

But this doesn't:

$p_name ="new name";
$bind_value = "1";
$stmt = $conn->prepare('UPDATE Anagrafica SET name=? WHERE hID=?');
$stmt->bind_param($p_name,$bind_value);
$stmt->exec();

To make things more complex, once this is working, then I would also need
to take the parameter "name" of "SET name" from a variable..

Thanks

On 21 July 2017 at 10:45,  wrote:

> On Fri Jul 21, 2017 at 06:33:55AM +, Edmondo Borasio wrote:
> > I am updating a record of a SQLite database as follows:
> >
> > $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');
> >
> > but instead of using name and ID I want to use some variables,
> $NewItemName
> >  and $hId.
> >
> > Entering the variables as they are won't work. Neither using escape
> > characters like \"$DbItemName\" and \"$hId\".
> >
> > Any idea of the right syntax pls?
>
> It appears that you are using something like Perl or Ruby to access
> your database?  If that is the case, then you will find that the
> concept of "placeholders" is what you are looking for.
>
> Typically you specify a "?" (without the quotes) where you want your
> variables to be, and then "bind" the variables to those positions
> either before or during the exec call.
>
> Here is the Perl documentation on that topic:
>
> https://metacpan.org/pod/DBI#Placeholders-and-Bind-Values
>
> I suggest you look up the equivalent in whatever language you are
> using.
>
> --
> Mark Lawrence
> ___
> sqlite-users mailing list
> sqlite-users@mailinglists.sqlite.org
> http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
>
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users

Re: [sqlite] UPDATE database using parameters

2017-07-21 Thread nomad 
On Fri Jul 21, 2017 at 06:33:55AM +, Edmondo Borasio wrote:
> I am updating a record of a SQLite database as follows:
> 
> $db->exec('UPDATE Movies SET name = "new movie" WHERE ID="4"');
> 
> but instead of using name and ID I want to use some variables, $NewItemName
>  and $hId.
>
> Entering the variables as they are won't work. Neither using escape
> characters like \"$DbItemName\" and \"$hId\".
> 
> Any idea of the right syntax pls?

It appears that you are using something like Perl or Ruby to access
your database?  If that is the case, then you will find that the
concept of "placeholders" is what you are looking for.

Typically you specify a "?" (without the quotes) where you want your
variables to be, and then "bind" the variables to those positions
either before or during the exec call.

Here is the Perl documentation on that topic:

https://metacpan.org/pod/DBI#Placeholders-and-Bind-Values

I suggest you look up the equivalent in whatever language you are
using.

-- 
Mark Lawrence
___
sqlite-users mailing list
sqlite-users@mailinglists.sqlite.org
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users