On mercredi 20 août 2008, christian.gambas wrote:
> Le mercredi 20 août 2008, João Luís a écrit :
> > sql = "INSERT INTO customer VALUES(name), ('" & TextBox1.Text & "')"
>
> I think It must be (at least with sqlite) :
> sql = "INSERT INTO customer (name) VALUES('" & TextBox1.Text & "')"
>
> cheers :)
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge Build the coolest Linux based applications with Moblin SDK & win
> great prizes Grand prize is a trip for two to an Open Source event anywhere
> in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Gambas-user mailing list
> Gambas-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/gambas-user
Just a remark - always the same with SQL...
Never do something like:
sql = "INSERT INTO customer VALUES(name) ('" & TextBox1.Text & "')"
res = mDatabase.conn.Exec(sql)
But do that:
res = mDatabase.conn.Exec("INSERT INTO customer VALUES(name) (&1)",
TextBox1.Text)
This way, you let Gambas quoting the TextBox1.Text string correctly, and avoid
a possible SQL-injection trap in your application!
Regards,
--
Benoit Minisini
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Gambas-user mailing list
Gambas-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
