[Gambas-user] Duplicated invalid record inserting into MySQL

Benoit Minisini gambas at ...1...
Wed Aug 20 13:24:07 CEST 2008


On mercredi 20 août 2008, christian.gambas wrote:
> Le mercredi 20 août 2008, João Luís a écrit :
> >  sql = "INSERT INTO customer VALUES(name), ('" & TextBox1.Text & "')"
>
> I think It must be (at least with sqlite) :
> sql = "INSERT INTO customer (name) VALUES('" & TextBox1.Text & "')"
>
> cheers :)
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge Build the coolest Linux based applications with Moblin SDK & win
> great prizes Grand prize is a trip for two to an Open Source event anywhere
> in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Gambas-user mailing list
> Gambas-user at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/gambas-user

Just a remark - always the same with SQL...

Never do something like:

  sql = "INSERT INTO customer VALUES(name) ('" & TextBox1.Text & "')"
  res = mDatabase.conn.Exec(sql)

But do that:

  res = mDatabase.conn.Exec("INSERT INTO customer VALUES(name) (&1)", 
TextBox1.Text)

This way, you let Gambas quoting the TextBox1.Text string correctly, and avoid 
a possible SQL-injection trap in your application!

Regards,

-- 
Benoit Minisini




More information about the User mailing list