dave lilley wrote: > Many thanks to all who have replied, > > I know understand the difference and shall use that approach to creating my > queries. > > regarding the "ruby way" it was more how I saw saving code typing by > injection different table, field and user data into one query thus saving > typing. > > BUT in the interests of eliminating/ reducing SQL injection I shall pass the > table name to my method and test against it to select which query to use > against that table and use the SQLite3 binding method. > > e.g. > def makesql (tablename, uservar) > case tablename > > when customers == tablename > stmt = select * from customers where cust_nos = ?" > > when jobs == tablename > stmt = .... > > end > > row = db.execute(stmt,uservar) > >
Unless your user is typing in the table name also, you don't have to go that far. Interpolation is fine for system defined variables. John _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
