[Gambas-user] Issue 225 in gambas: No prepared statements
gambas at ...2524...
gambas at ...2524...
Tue Mar 13 19:11:32 CET 2012
Comment #1 on issue 225 by raindog... at ...626...: No prepared statements
http://code.google.com/p/gambas/issues/detail?id=225
Actually, there kind of are. While there's no method called "prepare" in
the Connection class, there is the Connection.Subst method, which safely
quotes parameters to the SQL statement, as well as the Connection.Quote
method which quotes a single parameter.
While these don't address the performance gains you get by, say, preparing
a SQL statement once (which pre-compiles it in other implementations such
as Perl DBI, when the DBMS supports it) and repeatedly executing it with
different parameters, they do address most of the security issues with
inserting parameters as strings, VB-style.
As a bonus, at least compared to Perl's implementation, when you use date
variables in Gambas and pass them through Quote or Subst, they're formatted
SQL-style (YYYY-MM-DD) rather than needing to convert them first using
strftime or something similar.
More information about the User
mailing list