Re: How do i sanitize a string for database query?
thx
Re: How do i sanitize a string for database query?
On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote: On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote: On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote: How do i sanitize a string for database query? Is there some builtin function? thx :) Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement thx for reminding me of prepared statements this is ok for preventing an sql injection i guess, but still my insert would fail. maybe i should have specified what i want to achieve: i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail. Prepared statements handle this just fine. In fact that's why they exist, to handle this case.
Re: How do i sanitize a string for database query?
On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:
On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
How do i sanitize a string for database query?
Is there some builtin function?
thx :)
Use prepared statements instead.
https://en.wikipedia.org/wiki/Prepared_statement
thx for reminding me of prepared statements
this is ok for preventing an sql injection i guess, but still
my insert would fail.
maybe i should have specified what i want to achieve:
i have a plugin for a call of duty gameserver, this plugin is
able to ban players from the server by inserting name/ip/etc..
into a sql database. it is priority that the insert never
fails. e.g. name could contain a ' which lets my insert fail.
No it won't. The actual contents of your query parameters are
irrelevant and are stored as-is; that's the entire point of using
query parameters.
Example using d2sqlite3:
auto db = Database(":memory:");
auto stmt = db.prepare("INSERT INTO banned VALUES (?);")
stmt.bindAll("O'chucks");
stmt.execute(); // works fine
Re: How do i sanitize a string for database query?
On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote: On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote: How do i sanitize a string for database query? Is there some builtin function? thx :) Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement thx for reminding me of prepared statements this is ok for preventing an sql injection i guess, but still my insert would fail. maybe i should have specified what i want to achieve: i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.
Re: How do i sanitize a string for database query?
On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote: How do i sanitize a string for database query? Is there some builtin function? thx :) Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement
Re: How do i sanitize a string for database query?
On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote: How do i sanitize a string for database query? You generally shouldn't even try, instead use the database functions that bind parameters to the procedure. Is there some builtin function? It is different for each database target.
How do i sanitize a string for database query?
How do i sanitize a string for database query? Is there some builtin function? thx :)
