sql escaping



hi,

I'm having a crash with latest svn, when Updating database from version 7 to 8:
Unhandled Exception: Mono.Data.SqliteClient.SqliteSyntaxException: near "image": syntax error
at Mono.Data.SqliteClient.SqliteCommand.GetNextStatement (IntPtr pzStart, System.IntPtr& pzTail, System.IntPtr& pStmt) [0x00000] at Mono.Data.SqliteClient.SqliteCommand.ExecuteReader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) [0x00000] at Mono.Data.SqliteClient.SqliteCommand.ExecuteNonQuery () [0x00000] at Banshee.Database.QueuedSqliteCommand.Execute () [0x00000]


I tracked it back to this statement:

string statement = String.Format ("INSERT INTO photo_versions (photo_id, version_id, name, uri) " + "VALUES ({0}, {1}, '{2}', '{3}')",
		Convert.ToUInt32 (reader [0]),
		Convert.ToUInt32 (reader [1]),
		(string)(reader [2]),
		uri);


with version_id = "Modifié dans Éditeur d'image GIMP" (notice the "'")...

so I was wondering if there was a String.Format() look-alike, but that did sql escaping of the arguments, and/or what is the policy in f-spot for this.

xavier



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]