How do i sanitize a string for database query?
Alex Parrill via Digitalmars-d-learn
digitalmars-d-learn at puremagic.com
Tue Jul 21 12:00:12 PDT 2015
On Tuesday, 21 July 2015 at 18:55:53 UTC, ddos wrote:
> On Tuesday, 21 July 2015 at 17:58:55 UTC, Gary Willoughby wrote:
>> On Tuesday, 21 July 2015 at 17:23:30 UTC, ddos wrote:
>>> How do i sanitize a string for database query?
>>> Is there some builtin function?
>>>
>>> thx :)
>>
>> Use prepared statements instead.
>>
>> https://en.wikipedia.org/wiki/Prepared_statement
>
> thx for reminding me of prepared statements
> this is ok for preventing an sql injection i guess, but still
> my insert would fail.
> maybe i should have specified what i want to achieve:
>
> i have a plugin for a call of duty gameserver, this plugin is
> able to ban players from the server by inserting name/ip/etc..
> into a sql database. it is priority that the insert never
> fails. e.g. name could contain a ' which lets my insert fail.
No it won't. The actual contents of your query parameters are
irrelevant and are stored as-is; that's the entire point of using
query parameters.
Example using d2sqlite3:
auto db = Database(":memory:");
auto stmt = db.prepare("INSERT INTO banned VALUES (?);")
stmt.bindAll("O'chucks");
stmt.execute(); // works fine
More information about the Digitalmars-d-learn
mailing list