parameterized query with wildcard

Peter Haworth pete at lcsql.com
Thu Jul 30 14:41:34 EDT 2015 

If you use the placeholder method, there is no need to sanitize the
strings, that's the point of using it.  Although I guess it depends on what
you mean by "sanitize".

On Thu, Jul 30, 2015 at 8:11 AM Bob Sneidar <bobsneidar at iotecdigital.com>
wrote:

> Yes it does. If you use the placeholder method (I am not really sure what
> to call it at this point) then sqlYoga sanitizes the strings for you. I've
> inserted records with any number of characters using this method without
> any problems reading in or out of the database.
>
> I'm not sure if a direct query like "address = '\\bobscomputer\scans'" is
> sanitized. For the sake of standardization I always use the placeholder
> method.
>
> Bob S
>
>
> > On Jul 28, 2015, at 09:17 , Andrew Kluthe <andrew at ctech.me> wrote:
> >
> > Does revDataFromQuery do any sanitizing/proper to prevent me from
> sneaking
> > extra SQL into your search box like an injection style attack, or does it
> > just plop whatever you give in there no questions asked? Just curious. I
> > have always been spoiled by SQLYoga or rolled my DB interfaces up into
> API
> > servers of some kind.
> >
> > On Tue, Jul 28, 2015 at 11:09 AM Dave Kilroy <
> dave at applicationinsight.com>
> > wrote:
> >
> >> Mike, assuming you are searching the db with parameter pSearchTerm, try
> >> something like this:
> >>
> >>
> >> put "%" & pSearchTerm & "%" into tSearchTerm
> >> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
> >> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----
> >> "The difference between genius and stupidity is; genius has its
> limits." -
> >> Albert Einstein
> >> --
> >> View this message in context:
> >>
> http://runtime-revolution.278305.n4.nabble.com/parameterized-query-with-wildcard-tp4694407p4694419.html
> >> Sent from the Revolution - User mailing list archive at Nabble.com.
> >>
> >> _______________________________________________
> >> use-livecode mailing list
> >> use-livecode at lists.runrev.com
> >> Please visit this url to subscribe, unsubscribe and manage your
> >> subscription preferences:
> >> http://lists.runrev.com/mailman/listinfo/use-livecode
> >>
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
>
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>

More information about the use-livecode mailing list