digitalmars.D.learn - How do i sanitize a string for database query?
- ddos (3/3) Jul 21 2015 How do i sanitize a string for database query?
- Adam D. Ruppe (4/6) Jul 21 2015 You generally shouldn't even try, instead use the database
- Gary Willoughby (3/6) Jul 21 2015 Use prepared statements instead.
- ddos (9/16) Jul 21 2015 thx for reminding me of prepared statements
- Alex Parrill (9/27) Jul 21 2015 No it won't. The actual contents of your query parameters are
- ddos (1/1) Jul 21 2015 thx
- Gary Willoughby (3/21) Jul 21 2015 Prepared statements handle this just fine. In fact that's why
How do i sanitize a string for database query? Is there some builtin function? thx :)
Jul 21 2015
"Adam D. Ruppe" <destructionator gmail.com> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:How do i sanitize a string for database query?You generally shouldn't even try, instead use the database functions that bind parameters to the procedure.Is there some builtin function?It is different for each database target.
Jul 21 2015
On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:How do i sanitize a string for database query? Is there some builtin function? thx :)Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement
Jul 21 2015
On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:thx for reminding me of prepared statements this is ok for preventing an sql injection i guess, but still my insert would fail. maybe i should have specified what i want to achieve: i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.How do i sanitize a string for database query? Is there some builtin function? thx :)Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement
Jul 21 2015
On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:No it won't. The actual contents of your query parameters are irrelevant and are stored as-is; that's the entire point of using query parameters. Example using d2sqlite3: auto db = Database(":memory:"); auto stmt = db.prepare("INSERT INTO banned VALUES (?);") stmt.bindAll("O'chucks"); stmt.execute(); // works fineOn Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:thx for reminding me of prepared statements this is ok for preventing an sql injection i guess, but still my insert would fail. maybe i should have specified what i want to achieve: i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.How do i sanitize a string for database query? Is there some builtin function? thx :)Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement
Jul 21 2015
On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:Prepared statements handle this just fine. In fact that's why they exist, to handle this case.On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:thx for reminding me of prepared statements this is ok for preventing an sql injection i guess, but still my insert would fail. maybe i should have specified what i want to achieve: i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.How do i sanitize a string for database query? Is there some builtin function? thx :)Use prepared statements instead. https://en.wikipedia.org/wiki/Prepared_statement
Jul 21 2015