[Gambas-user] MySQL Data
Benoit Minisini
gambas at ...1...
Tue Jan 25 11:11:07 CET 2005
On Saturday 22 January 2005 06:34, Eric Damron wrote:
> I'm writing a simple DVD collection database front end to MySQL in order
> to learn Gambas. I've noticed that when the user enters a title like
> "Hogan's Heros" an exception is thrown because of the apostrophe. I
> fixed this problem by sending all user inputs to a function that looks
> for this and returns “\'” when it finds one.
>
> However, if the user enters a “&” the same thing happens even if I
> convert it to “\&” Does anyone know how to properly “sanitize” user
> input to MySQL?
>
> Thanks.
>
A old VB user yet :-) ?
To avoid these problems, you should use the substitute features of Exec(),
Find() and Edit() methods.
For example, instead of writing this in your code:
strSQL = "insert into DATA ( description ) VALUES ( '" & strTextBox & "' )"
Message("SQL = " & strSQL)
rsRecord = hConnection.Exec( strSQL)
Write:
rsRecord = hConnection.Exec("insert into DATA ( description ) VALUES (&1)",
strTextBox)
The gambas database component will carefully deals with escape characters so
that the syntax of the query is correct, whatever database server you use.
Regards,
--
Benoit Minisini
mailto:gambas at ...1...
More information about the User
mailing list