I recently discovered an issue in an application I have created, where someone can put a ' in an entry field and cause the query to screw up..

I know in php I have many functions to quote sql properly, but I can't seam to find one included with QSql or even one wrote in c++ for that matter?

if anyone with experience with this could point me in the right direction, towards such a function I would very much appreciate it :-D

Use QSqlQuery::bindValue() and forget about quotes.

well I think thats what I was looking for, do you know of a good tutorial for doing so

right now I am jsut putting my query into a Qstring then using the exec function to get the query and going from there

but this looks like I have to use qsql to build the query, probabally a better way of doing it thoguh

well I think thats what I was looking for, do you know of a good tutorial for doing so
Whole tutorial for one method? ;)


QSqlQuery q;
q.prepare( "INSERT INTO some_table( some_column ) VALUES ( :some_value )" );
q.bindValue( ":some_value", _someValue );
if( q.exec() ) {
// ok
}
else {
// error
}
Just watch out for the placeholders --- you'll get interesting results if you forget one bindValue() or make a typo in placeholder name.

Instead of ":name" you can use "?" (in such case you'll have to specify a number as the first argument for bindValue()).

thanks, I am normally not so clueless, long day, I am a one man dev team for a construciton type company and this one problem has gotten me too many phone calls to count today...

thanks a bunch

one other question if you have a moment, can I reuse q, like if I have three querys is there somethign i should do to to clear it, or can I just q.prepare again?

can I reuse q, like if I have three querys is there somethign i should do to to clear it, or can I just q.prepare again?
AFAIK prepare() should be enough, but of course if you want to execute the same query several times, it will be enough if you prepare it once.