How do i sanitize a string for database query?
Is there some builtin function?

thx :)

On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
> How do i sanitize a string for database query?

You generally shouldn't even try, instead use the database functions that bind parameters to the procedure.

> Is there some builtin function?


It is different for each database target.

On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
> How do i sanitize a string for database query?
> Is there some builtin function?
>
> thx :)

Use prepared statements instead.

https://en.wikipedia.org/wiki/Prepared_statement

On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
>> How do i sanitize a string for database query?
>> Is there some builtin function?
>>
>> thx :)
>
> Use prepared statements instead.
>
> https://en.wikipedia.org/wiki/Prepared_statement

thx for reminding me of prepared statements
this is ok for preventing an sql injection i guess, but still my insert would fail.
maybe i should have specified what i want to achieve:

i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.

On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:
> On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
>> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
>>> How do i sanitize a string for database query?
>>> Is there some builtin function?
>>>
>>> thx :)
>>
>> Use prepared statements instead.
>>
>> https://en.wikipedia.org/wiki/Prepared_statement
>
> thx for reminding me of prepared statements
> this is ok for preventing an sql injection i guess, but still my insert would fail.
> maybe i should have specified what i want to achieve:
>
> i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.

No it won't. The actual contents of your query parameters are irrelevant and are stored as-is; that's the entire point of using query parameters.

Example using d2sqlite3:

	auto db = Database(":memory:");
	auto stmt = db.prepare("INSERT INTO banned VALUES (?);")
	stmt.bindAll("O'chucks");
	stmt.execute(); // works fine

On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:
> On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
>> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
>>> How do i sanitize a string for database query?
>>> Is there some builtin function?
>>>
>>> thx :)
>>
>> Use prepared statements instead.
>>
>> https://en.wikipedia.org/wiki/Prepared_statement
>
> thx for reminding me of prepared statements
> this is ok for preventing an sql injection i guess, but still my insert would fail.
> maybe i should have specified what i want to achieve:
>
> i have a plugin for a call of duty gameserver, this plugin is able to ban players from the server by inserting name/ip/etc.. into a sql database. it is priority that the insert never fails. e.g. name could contain a ' which lets my insert fail.

Prepared statements handle this just fine. In fact that's why they exist, to handle this case.

thx