dave lilley wrote:
> Many thanks to all who have replied,
>
> I know understand the difference and shall use that approach to creating my
> queries.
>
> regarding the "ruby way" it was more how I saw saving code typing by
> injection different table, field and user data into one query thus saving
>
Many thanks to all who have replied,
I know understand the difference and shall use that approach to creating my
queries.
regarding the "ruby way" it was more how I saw saving code typing by
injection different table, field and user data into one query thus saving
typing.
BUT in the interests of
dave lilley wrote:
> Many thanks John so if i take that example and push it out so i can have 1
> method that can return a SQL select statement on any table, field and search
> criteria i would only need to do this?
>
> In ruby it would be
>
> make_SQL (table, field, criteria)
>stmt = "sel
On Mon, Jun 15, 2009 at 07:09:44PM +1200, dave lilley scratched on the wall:
> >>e.g. stmt = "select * from customers where cust_no = #{uservar}"
> >> row = db.execute(stmt)
>
> Now i could understand how my code could possibly allow the records in the
> table to be deleted but what's the differe
dave lilley wrote:
> Sorry for posting twice but...
>
> how does the method you have given me differ to mine?
>
> eg lets say this is the scenario
>
> uservar = "delete * from customers where * = *"
>
>
>>> e.g. stmt = "select * from customers where cust_no = #{uservar}"
>>> row = db.execute
dave lilley wrote:
> Sorry for posting twice but...
>
> how does the method you have given me differ to mine?
>
> eg lets say this is the scenario
>
> uservar = "delete * from customers where * = *"
>
>
>>> e.g. stmt = "select * from customers where cust_no = #{uservar}"
>>> row = db.execute
Sorry for posting twice but...
how does the method you have given me differ to mine?
eg lets say this is the scenario
uservar = "delete * from customers where * = *"
>>e.g. stmt = "select * from customers where cust_no = #{uservar}"
>> row = db.execute(stmt)
Now i could understand how my c
Many thanks John so if i take that example and push it out so i can have 1
method that can return a SQL select statement on any table, field and search
criteria i would only need to do this?
In ruby it would be
make_SQL (table, field, criteria)
stmt = "select * from #{table} where #{field
dave lilley wrote:
> I am using sqlite3 with ruby and hope I'm not out of place here in ask for
> some help on how to stop or reduce injection threats via sql statements made
> by a user be it accidental or deliberate.
>
> I want to build a select query from user entered data and then return rows
>
I am using sqlite3 with ruby and hope I'm not out of place here in ask for
some help on how to stop or reduce injection threats via sql statements made
by a user be it accidental or deliberate.
I want to build a select query from user entered data and then return rows
that match.
e.g. stmt = "sel
10 matches
Mail list logo
