Re: Building a SQL question

Sun, 16 Apr 2006 05:57:47 -0700 


On 15-apr-2006, at 18:35, Jan Erik Mostr?m <[EMAIL PROTECTED]> wrote:


What I really want to do is to avoid to build the search question but
concatenating strings (to avoid security/syntax problems), should I do it 
some other way?
Simple string concatenation is always a bad idea as in some languages it is very common to use single or double quotes in for example a name or a city. So by solving this problem, you can also project yourself against SQL injections or syntax errors. 

Take for example these two functions:
Protected Function BuildQuery(Query As String, ParamArray Values As Variant) As String 
  Dim SQL As String
  Dim Parts() As String
  Dim i As Integer
  Dim Value As Variant

  ' Split the query on question marks
  Parts = Query.Split( "?" )

  ' Build the SQL statement
  For Each Value In Values
    ' Append the values
    SQL = SQL + Parts( i ) + DbManager.EncodeValue( Value )
    i = i + 1
    If i > UBound( Parts ) Then Break
  Next

  ' Append the trailing parts
  For i = i To UBound( Parts )
    SQL = SQL + Parts( i )
  Next

  Return SQL

End Function

Protected Function EncodeValue(Value As Variant) As String
  ' If it's not already a string, convert it
  If Value.Type <> 8 Then
    Value = CStr( Value )
  End if

  ' Double the single quotes
  Value = Value.ReplaceAll( "'", "''" )

  ' Add single quotes to the front and end
  Value = "'" + Value + "'"

  return Value.StringValue

End Function

You can then build your queries like:

Dim SQL As String
Dim MyValue1 As Integer = 123
Dim MyValue2 As String = "DELETE * FROM MyTable" // Let's try an SQL injection SQL = DbManager.BuildQuery( "INSERT INTO MyTable ( MyField1, MyField2 ) VALUES ( ?, ? )", MyValue1, MyValue2 ) 

HTH,

- Rob Laveaux

--------------------------------------------------------
Pluggers Software
Thijssestraat 203
2521 ZG  Den Haag
The Netherlands

Email: [EMAIL PROTECTED]
Website: http://www.pluggers.nl

--------------------------------------------------------


_______________________________________________
Unsubscribe or switch delivery mode:
<http://www.realsoftware.com/support/listmanager/>

Search the archives of this list here:
<http://support.realsoftware.com/listarchives/lists.html>

Reply via email to