Many thanks to all who have replied,
I know understand the difference and shall use that approach to creating my
queries.
regarding the "ruby way" it was more how I saw saving code typing by
injection different table, field and user data into one query thus saving
typing.
BUT in the interests of eliminating/ reducing SQL injection I shall pass the
table name to my method and test against it to select which query to use
against that table and use the SQLite3 binding method.
e.g.
def makesql (tablename, uservar)
case tablename
when customers == tablename
stmt = select * from customers where cust_nos = ?"
when jobs == tablename
stmt = ....
end
row = db.execute(stmt,uservar)
again many thanks to all,
Dave.
2009/6/16 John Elrick <john.elr...@fenestra.com>
> dave lilley wrote:
> > Many thanks John so if i take that example and push it out so i can have
> 1
> > method that can return a SQL select statement on any table, field and
> search
> > criteria i would only need to do this?
> >
> > In ruby it would be ....
> >
> > make_SQL (table, field, criteria)
> > stmt = "select * from #{table} where #{field} = #{criteria}"
> > row = db.execute(stmt)
> > end
> >
> > and SQLite3 way would be ...
> >
> > make_SQL(table,field,criteria)
> > stmt = "select * from ? where ? = ?"
> > row = db.execute(stmt)
> > end
> >
> > would this presumtion be correct?
> >
> >
>
> No. You would have to use the table and field names directly:
>
> def make_SQL(table, field, criteria)
> stmt = "select * from #{table} where #{field} = ?"
> row = db.execute(stmt, criteria)
> end
>
>
>
> John
> _______________________________________________
> sqlite-users mailing list
> sqlite-users@sqlite.org
> http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
>
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
