List:MySQL and .NET« Previous MessageNext Message »
From:Reggie Burnett Date:February 28 2005 2:37pm
Subject:RE: How to deal with the ' char
View as plain text  
Jordan

I completely understand your feeling that using parameters just makes things
harder but there are many things that are done for you when you use
parameters.  

First, parameters should properly escape text so that it inserts properly
into MySQL.  If you find any parameterization bugs please file that
immediately so it can be fixed.  

Second, often a user wants to give several different types of objects for a
particular column.  A user might, for example, want to populate a datetime
column with a DateTime object, a Timestamp object, or even a string or
integer.  Some of these may not be supported today but they can be supported
in the future.  The point is that with parameters you just set the parameter
value and the parameter code will determine the type of what you passed in
and the best way of serializing it out.  

Third (and one of the most important) regards globalization.  MySQL (using
the older 4.0 text protocol) only accepts numbers with a dot decimal in it.
This means that if your app is running under a different locale (German for
instance) where numbers might normally appear as 123.456,89 then your code
will need to know that and handle it appropriately.

As to not seeing the query, the connector has logging built in.  Add
"logging=yes" to the connection string and then setup an appropriate
listener in your apps config file.  I use this all the time.  If you don't
setup a listener, then you should see the logging output at the console.

-reggie

> -----Original Message-----
> From: Jordan Sparks [mailto:jsparks@stripped] 
> Sent: Saturday, February 26, 2005 10:00 AM
> To: dotnet@stripped
> Subject: RE: How to deal with the ' char
> 
> I hate parameters.  If I had been using parameters, all of my 
> code would have been broken when the connector switched 
> parameters from @ to ?, and I have a LOT of code.  It also 
> makes it impossible to see the actual string that's going 
> out, so debugging becomes very difficult.  I also hate trying 
> to come up with names for each parameter when I have huge 
> queries and I don't really care about naming the string; I 
> just want to send it off.  It also makes your queries only 
> work with MySQL, and locking yourself into one database 
> engine is foolish.  Parameters also clutter the code because 
> you have to declare each parameter ahead of time.  I could go 
> on and on about why I hate parameters.  I really do hate them.
> 
> Here's my home-grown function that I use instead of a string 
> parameter:
> 
> public static string PString(string myString){
> 			if(myString==null){
> 				return "";
> 			}
> 			StringBuilder strBuild=new StringBuilder();
> 			for(int i=0;i<myString.Length;i++){
> 				switch(myString.Substring(i,1)){
> 					case "'":
> strBuild.Append(@"\'");	break;// ' replaced by \'
> 					case @"\":
> strBuild.Append(@"\\"); break;//single \ replaced by \\
> 					case "\r":
> strBuild.Append(@"\r"); break;//carriage return(usually 
> followed by new
> line)
> 					case "\n":
> strBuild.Append(@"\n"); break;//new line
> 					case "\t":
> strBuild.Append(@"\t"); break;//tab
> 					default:
> strBuild.Append(myString.Substring(i,1)); break;
> 				}
> 			}
> 			return strBuild.ToString();
> 		}
> 
> Jordan Sparks
>  
> 
> -----Original Message-----
> From: James Moore [mailto:banshee@stripped]
> Sent: Saturday, February 26, 2005 7:36 AM
> To: 'Jorge Bastos'; dotnet@stripped
> Subject: RE: How to deal with the ' char
> 
> 
> This is what parameterized queries are for -
> 
> Insert into NamesTable (fullname) values (?name)
> 
> And the connector will handle escaping for you.
> 
> If you don't want to use parameterized queries (can't imagine why; I'd
> never let non-parameterized queries involving strings through a code
> review), you need to look at the way the connector does the escaping.
> Just handling ' isn't enough. 
> 
>  - James
> 
> 
> 
> -- 
> MySQL on .NET Mailing List
> For list archives: http://lists.mysql.com/dotnet
> To unsubscribe:
> http://lists.mysql.com/dotnet?unsub=1
> 
> 
> -- 
> MySQL on .NET Mailing List
> For list archives: http://lists.mysql.com/dotnet
> To unsubscribe:    
> http://lists.mysql.com/dotnet?unsub=1
> 

Thread
How to deal with the ' charJorge Bastos26 Feb
  • Re: How to deal with the ' charBrandon Schenz26 Feb
  • Re: How to deal with the ' charJorge Bastos26 Feb
  • Re: How to deal with the ' charBrandon Schenz26 Feb
  • Re: How to deal with the ' charJorge Bastos26 Feb
    • RE: How to deal with the ' charJames Moore26 Feb
      • RE: How to deal with the ' charJordan Sparks26 Feb
        • RE: How to deal with the ' charJames Moore26 Feb
          • RE: How to deal with the ' charDaniel Fisla26 Feb
            • Re: How to deal with the ' charJorge Bastos26 Feb
          • Parameter examplesGuy Platt28 Feb
        • RE: How to deal with the ' charReggie Burnett28 Feb
          • RE: How to deal with the ' charmike.griffin28 Feb
  • Re: How to deal with the ' charFrank26 Feb
RE: How to deal with the ' charJames Moore26 Feb
RE: Parameter examplesKevin Turner28 Feb