I am having a bit of an issue with escaping a query. I build my query
parameters in two different strings. On holds the fields and the other holds
the data. Now, the issue that I have is the data may contain Bad sql chars
('"etc..). When I build the query string for the data, I include all the
require single quotes into the string.
Would it be better to just escape bad sql chars while I build the string, or
is there another way to do it with mysql++
Here is the code that I am using. Any help with this is greatly appreciated.
Building the field and data strings.
librets::StringVector::iterator i;
for (i = columns.begin(); i != columns.end();
i++)
{
string column = *i;
if(i == columns.begin()){
insStr = column; //
sqlFields in DbConnect::db_insert method
dataStr = "'" +
results->GetString(column) + "'"; // sqlData in
DbConnect::db_insert method
}else{
insStr = insStr + "," + column;
dataStr = dataStr + "," + "'" +
results->GetString(column) + "'";
}
}
This is the code that I use to execute the query and escape it. It is part
of my db_insert method
mysqlpp::Query query = conn.query("INSERT INTO " + sqlTable +
"(" + sqlFields + ") VALUES (");
query << mysqlpp::escape << sqlData << ")";
