escape input for mysql server
in Qt is there any equivalent function similar to "mysql_escape_string()" in PHP?
what I am trying to accomplish is to allow a user to enter information into a QTextedit and then transfer the data into a blob in mysql. My code so far works perfectly to get the text edit info into the blob except for cases where certain special characters are entered. For instance entering:
Quote:
somestuff","somemorestuff
into the text edit causes an error as my query interprets this as part of the SQL statement rather than something the user typed that should be put in the blob.
Re: escape input for mysql server
Quote:
Originally Posted by
tpf80
in Qt is there any equivalent function similar to "mysql_escape_string()" in PHP?
what I am trying to accomplish is to allow a user to enter information into a QTextedit and then transfer the data into a blob in mysql. My code so far works perfectly to get the text edit info into the blob except for cases where certain special characters are entered. For instance entering:
into the text edit causes an error as my query interprets this as part of the SQL statement rather than something the user typed that should be put in the blob.
PHP having 5000 or more function. C++ is different...
For any projekt i make a base class to extendend on evry place i need....
I work so many on XML utf-8 and i put on sql as encodeBase64 and must not quote...
php can read on http://php.net/base64-decode.php and the Dom XML friends....
As caching Dom ist faster.... only must transform xslt ...the data pdf, word, openoffice, svg, csv, ecc...
Code:
/* insert quote */
{
text.replace("\"","\\\""); /* 228 ``*/
text.replace("'","`");
return text;
}
/* select quote */
{
text.replace("\\\"","\""); /* 228 ``*/
text.replace("`","\'");
return text;
}
/* encode to name */
{
text.append(xml);
return text.toBase64();
}
/* decode to name */
{
xcode.append(xml);
return notetxt;
}
is your QTextedit data xhtml? image and so.....
IMO: QTextedit xhtml and image or attachment i zip the file to mysql
blob (mysql longblob 2GB max 4MB query setting) data zip file
QByteArray zipstream;
zipstream.toBase64();
and after to replace field.... is so clean and small data...
SAMPLE: my new Home-Page http://www.swisse.net/ work only on 2 xslt file
http://ciz.ch/map/theme/zest/page.xsl
http://ciz.ch/map/theme/zest/master_html.xsl
PHP unzip data as cache folder , like this http://www.swisse.net/data/2007/01/01/50000/ and xslt transform all no sql query... only admin running sql.
Re: escape input for mysql server
Try preparing the query and then binding values (QSqlQuery::prepare() and QSqlQuery::bindValue()), they should escape the data for you.
Re: escape input for mysql server
Quote:
Originally Posted by
wysota
Yes work fine on sqlite or other db type != not on mysql Collation special like CHARSET=utf-8 or other koi8r .... qt take from CHARSET QLocale and pusch on DBs and not read "SHOW COLUMNS FROM TABLE" to become the correct CHARSET, if table having iso latin 1 an OS QLocale is the same works....
Re: escape input for mysql server
thanks for your help, "bindValue()" is the way to go in this instance. am now able to add records with non-standard characters in them and it works fine.
Re: escape input for mysql server
I also noticed that I can use "bindValue()" for select statements, even though the examples only show them for inserts:
Code:
query.prepare("select userid, username, firstname, lastname, email, status from user where username=:username");
query.bindValue(":username", login.username);
if (!query.exec()) {
//do something to handle the error here
} else {
while (query.next()) {
//do something with the results we got here
}
}
]
is this a proper use of "bindValue()"?
Re: escape input for mysql server
Quote:
Originally Posted by
patrik08
Yes work fine on sqlite or other db type != not on mysql Collation special like CHARSET=utf-8 or other koi8r .... qt take from CHARSET QLocale and pusch on DBs and not read "SHOW COLUMNS FROM TABLE" to become the correct CHARSET, if table having iso latin 1 an OS QLocale is the same works....
If you have the database set incorrectly then don't expect everything to work.
Quote:
Originally Posted by
tpf80
I also noticed that I can use "bindValue()" for select statements, even though the examples only show them for inserts:
(...)
is this a proper use of "bindValue()"?
Sure :)
Re: escape input for mysql server
One last question I notice that:
Code:
#
query.prepare("select userid, username, firstname, lastname, email, status from user where username=:username");
#
query.bindValue(":username", login.username);
Pretty much escapes the login.username, puts it in quotes, and inserts it where :username is. However how do I use bindValue() with queries using "like" for example:
Code:
query.prepare("select userid, username, firstname, lastname, email, status from user where username like \"%" + something + "%\"");
it doesn't seem that
Code:
query.prepare("select userid, username, firstname, lastname, email, status from user where username like \"%:something%\"");
query.bindValue(":something", somevariable);
works properly. (gives an error preparing the query). What is the proper way to use bindvalue with a "like" query?
Re: escape input for mysql server
Quote:
Originally Posted by
tpf80
What is the proper way to use bindvalue with a "like" query?
Try:
Code:
SELECT userid, username, firstname, lastname, email, STATUS
FROM user
WHERE username LIKE '%' || :something || '%'
or
Code:
query.bindValue(":something", "%" + somevariable + "%" );
