sql escaping
- From: Xavier Bouchoux <xavier bouchoux free fr>
- To: f-spot-list gnome org
- Subject: sql escaping
- Date: Wed, 05 Sep 2007 23:35:44 +0200
hi,
I'm having a crash with latest svn, when Updating database from version
7 to 8:
Unhandled Exception: Mono.Data.SqliteClient.SqliteSyntaxException: near "image": syntax error
at Mono.Data.SqliteClient.SqliteCommand.GetNextStatement (IntPtr pzStart, System.IntPtr& pzTail, System.IntPtr& pStmt) [0x00000]
at Mono.Data.SqliteClient.SqliteCommand.ExecuteReader (CommandBehavior behavior, Boolean want_results, System.Int32& rows_affected) [0x00000]
at Mono.Data.SqliteClient.SqliteCommand.ExecuteNonQuery () [0x00000]
at Banshee.Database.QueuedSqliteCommand.Execute () [0x00000]
I tracked it back to this statement:
string statement = String.Format ("INSERT INTO photo_versions (photo_id, version_id, name, uri) " +
"VALUES ({0}, {1}, '{2}', '{3}')",
Convert.ToUInt32 (reader [0]),
Convert.ToUInt32 (reader [1]),
(string)(reader [2]),
uri);
with version_id = "Modifié dans Éditeur d'image GIMP" (notice the "'")...
so I was wondering if there was a String.Format() look-alike, but that
did sql escaping of the arguments, and/or what is the policy in f-spot
for this.
xavier
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]