How do i sanitize a string for database query?

Alex Parrill via Digitalmars-d-learn digitalmars-d-learn at puremagic.com
Tue Jul 21 12:00:12 PDT 2015


On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:
> On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
>> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
>>> How do i sanitize a string for database query?
>>> Is there some builtin function?
>>>
>>> thx :)
>>
>> Use prepared statements instead.
>>
>> https://en.wikipedia.org/wiki/Prepared_statement
>
> thx for reminding me of prepared statements
> this is ok for preventing an sql injection i guess, but still 
> my insert would fail.
> maybe i should have specified what i want to achieve:
>
> i have a plugin for a call of duty gameserver, this plugin is 
> able to ban players from the server by inserting name/ip/etc.. 
> into a sql database. it is priority that the insert never 
> fails. e.g. name could contain a ' which lets my insert fail.

No it won't. The actual contents of your query parameters are 
irrelevant and are stored as-is; that's the entire point of using 
query parameters.

Example using d2sqlite3:

	auto db = Database(":memory:");
	auto stmt = db.prepare("INSERT INTO banned VALUES (?);")
	stmt.bindAll("O'chucks");
	stmt.execute(); // works fine



More information about the Digitalmars-d-learn mailing list