[Vala] Escape string for use in sqlite

[Rodrigo Herefeld]

Hi all!
I'm writing a small program that uses a sqlite database, i need to escape
chars to avoid problems with sql, example,
if i try to add the entry "moe's bar" to the database it fails.
I'm not worried about sql injection because i'll be the only user for the
app, but i think about that too.
Does anyone have an idea? :-)

--
Rodrigo Cesar Herefeld

[Luca Bruno]

Use prepared statements.

--
www.debian.org - The Universal Operating System

[Luca Bruno]

On Tue, Mar 6, 2012 at 8:30 PM, Rodrigo Herefeld <rodrigo....@gmail.com
> wrote:

> Did not understand... the exec statment already uses
> db.prepare;db.step;db.finalize , how could it help me to
> insert a string that could cause sql to fail?
>

When you bind a string parameter it will be escaped.

[Shawn Ferris]

On Tue, Mar 6, 2012 at 12:33 PM, Luca Bruno <letha...@gmail.com> wrote:
> On Tue, Mar 6, 2012 at 8:30 PM, Rodrigo Herefeld <rodrigo....@gmail.com
>> wrote:
>
> When you bind a string parameter it will be escaped.

I would add that database engines are usually better at optimizing SQL
with bind variables, as well, binds help prevent SQL Injection
attacks. The latter is the best reason of all, to use them, the other
two you get for free. :D

Shawn
_______________________________________________
vala-list mailing list
vala...@gnome.org
http://mail.gnome.org/mailman/listinfo/vala-list

[Daniel Espinosa]

Use GDA. Look at:

http://live.gnome.org/ChooseLibgdaSQLite

2012/3/9 Shawn Ferris <shawn....@gmail.com>

--
Trabajar, la mejor arma para tu superación
"de grano en grano, se hace la arena" (R) (en trámite, pero para los
cuates: LIBRE)

[Daniel Espinosa]

You can keep your code in Python, because GDA supports GObject
Introspection and PyGObject. Vala bindings in GDA are build based on
GObject Introspection.

2012/3/12 Rodrigo Herefeld <rodrigo....@gmail.com>

> I started testing libgda, but the apps simple does not compile on my
> debian( the funny thing is that i
> was able to do that on windows), i would need to compile libgda and then
> vala for that to work, and
> the program is too small for that, in fact i had it already done in
> python, but since i needed to run it
> on a machine where i may not install python i decided to port it to vala.
>
>
> 2012/3/12 Daniel Espinosa <eso...@gmail.com>

> Rodrigo Cesar Herefeld

[Rodrigo Herefeld]

Well , no i can't , because one machine that run the program may not have
python installed , as i said :-)
and the fact is that, in python you won't need gda, acessing databases in
python uses a standart way no matter the dbdriver you use ,that is very
good and make very easy change from one database to another, you'll always
have this commands:

dbdriver.connect(the connection parameters)
dbdriver.cursor().execute(sql)

and for string scaping:

cursor.execute("INSERT INTO test VALUES(?,?)",[value1,value2])

This is the same for every database driver, so you only change the
connection parameters , and make
sure to use compatible sql.
I think the good idea about libgda is bring the same funcionality to C/C++
and VALA, but the pytho
process is still more simple and takes less code to use.

Ps.: Daniel , sorry , today i realized that gmail is responding the emails
to the person who wrotes and
not to vala list,so you'll receive this mail twice. cause i've resended to
list.
2012/3/12 Daniel Espinosa <eso...@gmail.com>

--
Rodrigo Cesar Herefeld

--
Rodrigo Cesar Herefeld