Originally Posted by
qlands
sql = "INSERT INTO mytable (code,name) VALUES ('" + mydlg.getCode() + "','" + mydlg.getName() + "')"; //Creates the sql insert
sql = "INSERT INTO mytable (code,name) VALUES ('" + mydlg.getCode() + "','" + mydlg.getName() + "')"; //Creates the sql insert
To copy to clipboard, switch view to plain text mode
It also creates reliability and security issues if you get into the habit of building queries this way. If one of the user's name entries was "Miles O'Brien (Star Trek)" (without the enclosing quotes) the INSERT will fail. If the INSERT was a DELETE the consequences could be dire:
sql = "DELETE FROM mytable WHERE code = '" + mydlg.getCode() +"'";
sql = "DELETE FROM mytable WHERE code = '" + mydlg.getCode() +"'";
To copy to clipboard, switch view to plain text mode
seems safe enough until someone exploits the weakness by typing "x' OR code is not null; -- " in as the code, making the query:
DELETE FROM mytable WHERE code = 'x' OR code is not null;-- '
DELETE FROM mytable WHERE code = 'x' OR code is not null;-- '
To copy to clipboard, switch view to plain text mode
and trashes much data (on most RDMS systems). Might not matter on your single-user desktop app, but it matters greatly in the broader world.
QSqlQuery provides Approaches to Binding Values that ensure user input is safely handled: please use them.
Re: how to add data Into database using a dialog
Reply With Quote
Bookmarks