Fredrik Karlsson schrieb:
> On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de> wrote:
>> Your working far too hard. The sqlite Tcl binding already does all thats
>> needed.
>>
>> This is perfectly safe:
>> set result [db1 eval {select * from X where label = $myStringValue and id >
>> $compId}]
>>
>> But you MUST use {} to quote your query and not "", so sqlite gets to do the
>> substitution (or better said convert things to prepared statements and bind
>> values correctly) and not Tcl.
>>
>> Michael
>
> Hi Michael,
>
> Ok, I can see how this would be the easiest solution, but what I am
> doing is basically a query builder (maping of comands in a specialized
> language to pattern subselects in SQL queries). Since the statements
> can be nested in many different ways, I cannot expect to be able to
> construct the query and keeping track of variable names to be used in
> the final substitution, so that I can make use of the built in binding
> feature of sqlite.... It is much to much hard work.
>
I don't think so.
Just use an array to store your values and prefix the names with the
identifier of your subpattern. Now when you emit your subpattern via
[format] or some other method just add the appropriate prefixed bind
variables. Should not be too hard.
> Instead, I think I need to make each part of the query return a
> complete (not to be evaluated further outside of sqlite) SQL query
> subselect statement, which is why I think I need to make sure that the
> values I insert is safe inside an SQL statement myself.
> Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry
> for making this into a Tcl question now..)
Its the wrong way. See the mess you get with mysql_real_escape() in PHP and
you know its wrong.
Michael
--
Michael Schlenker
Software Engineer
CONTACT Software GmbH Tel.: +49 (421) 20153-80
Wiener Straße 1-3 Fax: +49 (421) 20153-41
28359 Bremen
http://www.contact.de/ E-Mail: m...@contact.de
Sitz der Gesellschaft: Bremen
Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe
Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
