Storing and retrieving data from a SQL database

Peter TB Brett peter.brett at livecode.com
Thu May 19 12:23:55 EDT 2016


On 19/05/2016 16:41, Paul Dupuis wrote:
> Mike and Peter: So you're both saying that if I use either:
>
> revExecuteSQL myID, "insert into mytable values(:1,:2)",
> "Variable1","Variable2"
> OR
> revExecuteSQL myID,"insert into mytable values(:1,:2)","myArray"
> where myArray[1] has the content for the first column and myArray[2] for
> teh second column in the table
>
> That the revExecuteSQL command will escape the data in Variable1 or
> myArray[1] even if it contains returns and tabs and single and double
> quotes and so on?
>
> I had though that it just did substitution. I.e. it effectively just
> replaced the :1 in the query with the contents of the variable, so for a
> VarChar, Char, or Text column in the database, Variable1 would have to
> contain 'some text' in single quotes. I would be happy if my assumption
> is completely wrong.

It doesn't do textual substitution.  I've used placeholders and 
revExecuteSQL even to store arbitrary binary data in an SQL database 
safely and securely.  If you have access to the App Building Course, the 
Photos app demonstrates how to do this quite nicely.

                                            Peter

-- 
Dr Peter Brett <peter.brett at livecode.com>
LiveCode Open Source Team

LiveCode 2016 Conference https://livecode.com/edinburgh-2016/




More information about the use-livecode mailing list