On 19/05/2016 16:41, Paul Dupuis wrote:
Mike and Peter: So you're both saying that if I use either:
revExecuteSQL myID, "insert into mytable values(:1,:2)",
"Variable1","Variable2"
OR
revExecuteSQL myID,"insert into mytable values(:1,:2)","myArray"
where myArray[1] has the content for the first column and myArray[2] for
teh second column in the table
That the revExecuteSQL command will escape the data in Variable1 or
myArray[1] even if it contains returns and tabs and single and double
quotes and so on?
I had though that it just did substitution. I.e. it effectively just
replaced the :1 in the query with the contents of the variable, so for a
VarChar, Char, or Text column in the database, Variable1 would have to
contain 'some text' in single quotes. I would be happy if my assumption
is completely wrong.
It doesn't do textual substitution. I've used placeholders and
revExecuteSQL even to store arbitrary binary data in an SQL database
safely and securely. If you have access to the App Building Course, the
Photos app demonstrates how to do this quite nicely.
Peter
--
Dr Peter Brett <peter.br...@livecode.com>
LiveCode Open Source Team
LiveCode 2016 Conference https://livecode.com/edinburgh-2016/
_______________________________________________
use-livecode mailing list
use-livecode@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-livecode
