View Full Version : QTSql String Quoteing
ldsjohn
4th December 2006, 22:45
I recently discovered an issue in an application I have created, where someone can put a ' in an entry field and cause the query to screw up..
I know in php I have many functions to quote sql properly, but I can't seam to find one included with QSql or even one wrote in c++ for that matter?
if anyone with experience with this could point me in the right direction, towards such a function I would very much appreciate it :-D
jacek
4th December 2006, 23:05
Use QSqlQuery::bindValue() and forget about quotes.
ldsjohn
4th December 2006, 23:49
well I think thats what I was looking for, do you know of a good tutorial for doing so
right now I am jsut putting my query into a Qstring then using the exec function to get the query and going from there
but this looks like I have to use qsql to build the query, probabally a better way of doing it thoguh
jacek
4th December 2006, 23:58
well I think thats what I was looking for, do you know of a good tutorial for doing so
Whole tutorial for one method? ;)
QSqlQuery q;
q.prepare( "INSERT INTO some_table( some_column ) VALUES ( :some_value )" );
q.bindValue( ":some_value", _someValue );
if( q.exec() ) {
// ok
}
else {
// error
}
Just watch out for the placeholders --- you'll get interesting results if you forget one bindValue() or make a typo in placeholder name.
Instead of ":name" you can use "?" (in such case you'll have to specify a number as the first argument for bindValue()).
ldsjohn
5th December 2006, 00:01
thanks, I am normally not so clueless, long day, I am a one man dev team for a construciton type company and this one problem has gotten me too many phone calls to count today...
thanks a bunch
ldsjohn
5th December 2006, 00:04
one other question if you have a moment, can I reuse q, like if I have three querys is there somethign i should do to to clear it, or can I just q.prepare again?
jacek
5th December 2006, 00:12
can I reuse q, like if I have three querys is there somethign i should do to to clear it, or can I just q.prepare again?
AFAIK prepare() should be enough, but of course if you want to execute the same query several times, it will be enough if you prepare it once.
Powered by vBulletin® Version 4.2.5 Copyright © 2024 vBulletin Solutions Inc. All rights reserved.