[Gambas-user] MySQL Data
nigel at ...38...
nigel at ...38...
Thu Jan 27 16:00:52 CET 2005
Eric,
Should there be an &6 in the statement...there seems to be 6 parameters.
Nigel
> Message date : Jan 27 2005, 01:41 PM
> From : "Eric Damron"
> To : gambas-user at lists.sourceforge.net
> Copy to :
> Subject : Re: [Gambas-user] MySQL Data
> Benoit Minisini wrote:
>
> >On Saturday 22 January 2005 06:34, Eric Damron wrote:
> >
> >
> >>I'm writing a simple DVD collection database front end to MySQL in order
> >>to learn Gambas. I've noticed that when the user enters a title like
> >>"Hogan's Heros" an exception is thrown because of the apostrophe. I
> >>fixed this problem by sending all user inputs to a function that looks
> >>for this and returns ?\'? when it finds one.
> >>
> >>However, if the user enters a ?&? the same thing happens even if I
> >>convert it to ?\&? Does anyone know how to properly ?sanitize? user
> >>input to MySQL?
> >>
> >>Thanks.
> >>
> >>
> >>
> >
> >A old VB user yet :-) ?
> >
> >To avoid these problems, you should use the substitute features of Exec(),
> >Find() and Edit() methods.
> >
> >For example, instead of writing this in your code:
> >
> > strSQL = "insert into DATA ( description ) VALUES ( '" & strTextBox & "' )"
> >
> > Message("SQL = " & strSQL)
> > rsRecord = hConnection.Exec( strSQL)
> >
> >Write:
> >
> > rsRecord = hConnection.Exec("insert into DATA ( description ) VALUES (&1)",
> >strTextBox)
> >
> >The gambas database component will carefully deals with escape characters so
> >that the syntax of the query is correct, whatever database server you use.
> >
> >Regards,
> >
> >
> >
> Thanks! Does the substitute features of Exec() have any limitations
> that I should know about? In the following line I get an error message:
> hConnection.Exec("insert into DISC (title, rating_id, note,
> genre_primary, genre_secondary, format_code) values (&1, &2, &3, &4,
> &5)", strTitle, strRatingID, strNote, strGenrePrimary,
> strGenreSecondary, strFormatCode)
>
> The message is "Query failed: Unknown column 'W' in 'field list'
>
> As you can see there is no 'W' in the field list. 'W' is the data being
> sent in to 'format_code' (It stands for Wide Screen) If I enter a DVD
> and set the format code to "S"tandard I get the error "Query failed:
> Unknown column 'S' in 'field list'
>
> BTW format_code is a valid field in the database. Any ideas??
>
> Thanks
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Gambas-user mailing list
> Gambas-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/gambas-user
>
--
Whatever you Wanadoo:
http://www.wanadoo.co.uk/time/
This email has been checked for most known viruses - find out more at: http://www.wanadoo.co.uk/help/id/7098.htm
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.gambas-basic.org/pipermail/user/attachments/20050127/85115ed7/attachment.html>
More information about the User
mailing list