LMHmedchem <lmh_users-gro...@molconn.com> wrote:
> Igor,
> It seem as if you are saying that string values like a name should be passed
> in SQL commands as variables, is that right?
Personally, I tend to do this for all values, whether strings or numbers or
otherwise.
> At the moment, I am accessing
> SQLite through the ruby-sqlite3 interface
For the record, I'm completely unfamiliar with that.
> so the inserts look like,
>
> @db.execute "INSERT INTO #{table_name.capitalize}
> VALUES(#{insert_into_fields(table_name, values_array)})"
>
> (I haven't got to queries yet)
>
> the data is contained in the values_array, but I guessing that will still
> create a problem if there are single quotes in one of the values?
Well, it's possible that insert_into_fields function does, or can be made to
do, the necessary escaping.
> I have
> looked at the link you sent (and to the very funny cartoon, thanks), but it
> will take a bit to decipher. Since I am using the ruby interface and not the
> C interface, it may be that I need to look at the ruby-sqlite3 doc, but I am
> amusing/hoping that there is something similar.
A quick Google search reveals
http://sqlite-ruby.rubyforge.org/sqlite3/faq.html#538670816
> It looks like you set the
> value of a parameter to your string value and then pass the parameter
> instead of the literal string.
You embed a placeholder in your statement where a literal would be. Each
placeholder corresponds to a parameter (multiple placeholders may correspond to
the same parameter). Then you bind actual values to parameters, and finally you
execute the statement.
> Is that more or less the idea? I guess it
> would be easy enough to double the quotes in the ruby code before inserts or
> queries, as Simon suggested, and then un-double them on the way out if data
> was being retrieved from the database to be written somewhere else.
You don't need this last part. The text you get from SELECT is the original,
without escaping.
--
Igor Tandetnik
_______________________________________________
sqlite-users mailing list
sqlite-users@sqlite.org
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
