How to connect to SQLITE?
Ferhat Kurtulmuş
aferust at gmail.com
Sat Nov 28 19:16:06 UTC 2020
On Saturday, 28 November 2020 at 17:50:43 UTC, kdevel wrote:
> On Saturday, 28 November 2020 at 13:29:50 UTC, Ferhat Kurtulmuş
> wrote:
>> On Saturday, 28 November 2020 at 12:01:59 UTC, Alex NL wrote:
>>> Is there libs for SQLITE?
>>> How to use it? thanks.
>>
>> https://github.com/aferust/GtkD-examples-for-TreeView-and-ListBox
>
> IMNSHO the code in example1.d
>
> string sql = format("UPDATE User SET %s = '%s' WHERE id =
> %s;", field, text, curId);
> db.query(sql);
>
> and that in example2.d
>
> string sql = format("UPDATE User SET %s = '%s' WHERE id =
> %d;", field, value, cid);
> db.query(sql);
>
> is prone to SQL injection attacks. Why don't you use ? as
> placeholder as in the example
>
> db.query("INSERT INTO people (id, name) VALUES (?, ?)", 5,
> "Adam");
>
> of
>
> http://dpldocs.info/experimental-docs/arsd.database.html
>
> If your database is compromised you can blame the arsd.database
> author(s) for publishing a buggy db.escape function ;-)
I just didn't care about security vulnerability there. My focus
was on GtkD functions. But you are right. It may mislead newbies.
Library functions must have been used, not format, so that auto
escape can work. I am too lazy to fix it :)
More information about the Digitalmars-d-learn
mailing list