March 24, 2020 Re: Swedish letters fuck up parsing into SQL querry | ||||
---|---|---|---|---|
| ||||
Posted in reply to matheus | On 3/24/20 7:15 AM, matheus wrote:
> On Monday, 23 March 2020 at 15:41:50 UTC, Adam D. Ruppe wrote:
>> On Monday, 23 March 2020 at 15:15:12 UTC, Anders S wrote:
>>> I'm creating a connection to the db and conn.exec(sql)
>>
>> It depends on the library but it is almost always easier to do it right than to do it the way you are.
>>
>> like with my lib it is
>>
>> db.query("update celldata set name = ?", new_name);
>
> I'm not the OP but I have a question, isn't this passive to SQL injection too, or your LIB will handle this somehow?
I haven't seen the code, but I'm going to guess this is using prepared statements with the given string as a parameter. This is what mysql-native does.
-Steve
|
March 24, 2020 Re: Swedish letters fuck up parsing into SQL querry | ||||
---|---|---|---|---|
| ||||
Posted in reply to matheus | On Tuesday, 24 March 2020 at 11:15:24 UTC, matheus wrote: > On Monday, 23 March 2020 at 15:41:50 UTC, Adam D. Ruppe wrote: >> On Monday, 23 March 2020 at 15:15:12 UTC, Anders S wrote: >>> I'm creating a connection to the db and conn.exec(sql) >> >> It depends on the library but it is almost always easier to do it right than to do it the way you are. >> >> like with my lib it is >> >> db.query("update celldata set name = ?", new_name); > > I'm not the OP but I have a question, isn't this passive to SQL injection too, or your LIB will handle this somehow? > > If is the later could you please point the code on GitHub? > > Matheus. https://github.com/mysql-d/mysql-native/blob/8f9cb4cd9904ade43af006f96e5e03eebe7a7c19/source/mysql/protocol/comms.d#L494 it's builtin into mysql |
March 24, 2020 Re: Swedish letters fuck up parsing into SQL querry | ||||
---|---|---|---|---|
| ||||
Posted in reply to WebFreak001 | On Tuesday, 24 March 2020 at 14:10:19 UTC, WebFreak001 wrote:
> On Tuesday, 24 March 2020 at 11:15:24 UTC, matheus wrote:
>> On Monday, 23 March 2020 at 15:41:50 UTC, Adam D. Ruppe wrote:
>>> On Monday, 23 March 2020 at 15:15:12 UTC, Anders S wrote:
>>>> I'm creating a connection to the db and conn.exec(sql)
>>>
>>> It depends on the library but it is almost always easier to do it right than to do it the way you are.
>>>
>>> like with my lib it is
>>>
>>> db.query("update celldata set name = ?", new_name);
>>
>> I'm not the OP but I have a question, isn't this passive to SQL injection too, or your LIB will handle this somehow?
>>
>> If is the later could you please point the code on GitHub?
>>
>> Matheus.
>
> https://github.com/mysql-d/mysql-native/blob/8f9cb4cd9904ade43af006f96e5e03eebe7a7c19/source/mysql/protocol/comms.d#L494
>
> it's builtin into mysql
Ahhh, thanks need to dig into this and learn.
Thanks guys for all the responses. Got plenty of leads to dig into, also issues I have to consider to be a better coder ;)
Thks again
|
Copyright © 1999-2021 by the D Language Foundation