On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de> wrote:
> Your working far too hard. The sqlite Tcl binding already does all thats
> needed.
>
> This is perfectly safe:
> set result [db1 eval {select * from X where label = $myStringValue and id >
> $compId}]
>
> But you MUST use {} to quote your query and not "", so sqlite gets to do the
> substitution (or better said convert things to prepared statements and bind
> values correctly) and not Tcl.
>
> Michael
Hi Michael,
Ok, I can see how this would be the easiest solution, but what I am
doing is basically a query builder (maping of comands in a specialized
language to pattern subselects in SQL queries). Since the statements
can be nested in many different ways, I cannot expect to be able to
construct the query and keeping track of variable names to be used in
the final substitution, so that I can make use of the built in binding
feature of sqlite.... It is much to much hard work.
Instead, I think I need to make each part of the query return a
complete (not to be evaluated further outside of sqlite) SQL query
subselect statement, which is why I think I need to make sure that the
values I insert is safe inside an SQL statement myself.
Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry
for making this into a Tcl question now..)
/Fredrik
--
"Life is like a trumpet - if you don't put anything into it, you don't
get anything out of it."
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
