Fredrik Karlsson schrieb: > On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de> wrote: >> Your working far too hard. The sqlite Tcl binding already does all thats >> needed. >> >> This is perfectly safe: >> set result [db1 eval {select * from X where label = $myStringValue and id > >> $compId}] >> >> But you MUST use {} to quote your query and not "", so sqlite gets to do the >> substitution (or better said convert things to prepared statements and bind >> values correctly) and not Tcl. >> >> Michael > > Hi Michael, > > Ok, I can see how this would be the easiest solution, but what I am > doing is basically a query builder (maping of comands in a specialized > language to pattern subselects in SQL queries). Since the statements > can be nested in many different ways, I cannot expect to be able to > construct the query and keeping track of variable names to be used in > the final substitution, so that I can make use of the built in binding > feature of sqlite.... It is much to much hard work. >
I don't think so. Just use an array to store your values and prefix the names with the identifier of your subpattern. Now when you emit your subpattern via [format] or some other method just add the appropriate prefixed bind variables. Should not be too hard. > Instead, I think I need to make each part of the query return a > complete (not to be evaluated further outside of sqlite) SQL query > subselect statement, which is why I think I need to make sure that the > values I insert is safe inside an SQL statement myself. > Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry > for making this into a Tcl question now..) Its the wrong way. See the mess you get with mysql_real_escape() in PHP and you know its wrong. Michael -- Michael Schlenker Software Engineer CONTACT Software GmbH Tel.: +49 (421) 20153-80 Wiener Straße 1-3 Fax: +49 (421) 20153-41 28359 Bremen http://www.contact.de/ E-Mail: m...@contact.de Sitz der Gesellschaft: Bremen Geschäftsführer: Karl Heinz Zachries, Ralf Holtgrefe Eingetragen im Handelsregister des Amtsgerichts Bremen unter HRB 13215 _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users