List:MySQL++« Previous MessageNext Message »
From:r ottmanj Date:December 11 2008 11:23pm
Subject:Escaping queries
View as plain text  
I am having a bit of an issue with escaping a query. I build my query
parameters in two different strings. On holds the fields and the other holds
the data. Now, the issue that I have is the data may contain Bad sql chars
('"etc..). When I build the query string for the data, I include all the
require single quotes into the string.

Would it be better to just escape bad sql chars while I build the string, or
is there another way to do it with mysql++

Here is the code that I am using. Any help with this is greatly appreciated.

Building the field and data strings.

                              librets::StringVector::iterator i;
                              for (i = columns.begin(); i != columns.end();
i++)
                              {
                                  string column = *i;

                                  if(i == columns.begin()){
                                      insStr = column;                    //
sqlFields in DbConnect::db_insert method
                                      dataStr = "'" +
results->GetString(column) + "'";             // sqlData in
DbConnect::db_insert method
                                  }else{
                                      insStr = insStr + "," + column;
                                      dataStr = dataStr + "," +  "'" +
results->GetString(column) + "'";

                                  }
                              }

This is the code that I use to execute the query and escape it. It is part
of my db_insert method

            mysqlpp::Query query = conn.query("INSERT INTO " + sqlTable +
"(" + sqlFields + ") VALUES (");
            query << mysqlpp::escape << sqlData << ")";

Thread
Escaping queriesr ottmanj12 Dec
  • Re: Escaping queriesWarren Young12 Dec