Re: [gnome-db] Recommended function for escaping strings?



2008/9/7 Maurice van der Pot <griffon26 kfk4ever com>:
> I wanted to escape a string that I am going to use as a value in an SQL
> statement, but I'm unsure what function to use.
>
> I see there's gda_default_escape_string(), but that is also used as a
> fallback in gda_server_provider_escape_string() so that may not be a
> preferred function.
>
> Then there's gda_server_provider_escape_string(), but I thought I should
> not call any of the server provider functions directly and I don't see
> anything in gda_connection that uses it.
>
> Finally there's gda_connection_value_to_sql_string(), but that requires
> me to put the string into a GValue first.
>
> What's the best way?
>

Data representations conversion in Libgda is done by GdaDataHandler
objects, you may get a pointer to an instance using
gda_dict_get_handler(), assuming you use Libgda 3.x. Then use
gda_data_handler_get_value_from_str() to get a new GValue from your
string, and gda_data_handler_get_sql_from_value() to convert it to SQL
(don't forget to call gda_value_free() to free the GValue created by
the first call).

Note however that it is much safer to use variables in SQL statements
and bind the variables when the statement is executed to avoid code
injection and to have better performances. Unfortunately this is not
very well supported with the 3.x versions. With the upcomping V4
version, this method is fully supported.

Regards,

Vivien


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]