On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay <jac...@hyperactivesw.com> wrote:
> I'm not quite sure what Pete meant by using the variable name option in > the rev database functions though. (I am so not a database person.) Well you opened the door by asking :-) As an example, revDataFromQuery's syntax is revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[, *varsList*]) "varslist" is the thing I mentioned. It allows you have a SELECT statement like this: SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2 The values for :1 and :2 are supplied in the varslist which can either be a comma separated list of simple variable names or a single array variable with, in this case, keys 1 and 2, with the variable names enclosed in quotes. So the revDataFromQuery call would be: put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData OR put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData In addition to preventing SQL injection attacks, this also avoids the need to escape troublesome characters like quotes in the data. Pete lcSQL Software <http://www.lcsql.com> Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html> _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
