[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for databa
From: |
Glen Ditchfield |
Subject: |
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for database with operator % style |
Date: |
Tue, 24 Jan 2006 19:07:19 -0600 |
User-agent: |
KMail/1.9.1 |
On Tuesday 24 January 2006 02:13, Nathaniel Smith wrote:
> The new API is like:
> execute(query("DELETE FROM my_table WHERE attr = ?") % blob(foo));
Glen Ditchfield wrote:
> Is there some code somewhere that escapes single-quotes? I've seen too
> many bugs in other systems where the code sets up a query like
> "SELECT stuff FROM my_table WHERE surname = '?' ")
> and then some other code substitutes in "O'Toole" instead of "O''Toole".
On Tuesday 24 January 2006 15:43, Christof Petig wrote:
> This is not an issue here since query and parameter are passed seperated
> to the database. (And the parameter is not parsed).
But does that ensure that the right thing will happen if the parameter has a
single quote in it?
By the way, here is what monotone 0.23 on SuSE 9.2 does in one case:
[~]$ monotone ls certs a:o\'toole
monotone: expanding selection 'a:o'toole'
monotone: error: sqlite error: 1: near "toole": syntax error
monotone: error: make sure database and containing directory are writeable