escape string

V1RUS · Post by **V1RUS** » 01.09.2007, 14:31

i have a console program.

uses
  ZConnection,ZQuery;
var
  Connection : TZConnection;
  Dataset : TZQuery;
  login : string;
begin
  Connection := TZConnection.Create(nil);
  Dataset := TZQuery.Create(nil);
  Dataset.Connection := fConnection;
  Dataset.ReadOnly := FALSE;
  Connection.Protocol := 'mysql-5'; //actually it's getting from config
  Connection.HostName        := MainProc.DatabaseOptions.RealmHost;
  Connection.Port            := MainProc.DatabaseOptions.RealmPort;
  Connection.Database        := MainProc.DatabaseOptions.RealmDB;
  Connection.User            := MainProc.DatabaseOptions.RealmUser;
  Connection.Password        := MainProc.DatabaseOptions.RealmPass;
  Connection.Connect;

  login := GetLogin; //function takes username from Edit box

  //i need to escape string(login) now to avoid hack/crash. but how ???

  //something sql-requests with this login

  Connection.Disconnect;
  Dataset.Free;
  Connection.Free;
end.

thanks all

sry 4 bad English - I'm from Russia

zippo · Post by **zippo** » 03.09.2007, 10:10

Use the backslash

V1RUS · Post by **V1RUS** » 03.09.2007, 12:32

can you write example ?

Post by **mdaems** » 03.09.2007, 13:44

You can use EncodeCString from ZSysUtils unit.
I'm planning to add a utility function to the Connection component which escapes characters in a way the connected database likes. Some more people are asking for it. The mysql implementation would use mysql_escape_string or mysql_real_escape_string API functions. For other databases EncodeCString function will be used until somebody provides a more db specific solution.

Mark

V1RUS · Post by **V1RUS** » 03.09.2007, 16:22

thanks a lot. i'll wait for your change

Post by **mdaems** » 05.09.2007, 10:47

V1RUS,

If forgot I already committed the change... It's in the last Testing snapshot already. When you use another version you can check the changes using SVN (testing branch rev. 284) and apply these changes to your sources. It's not that big.

How to use it : escapedstring=Connection1.DbcConnection.EscapeString(unescapedstring)

Mark

btrewern · Post by **btrewern** » 05.09.2007, 15:26

Mark,

In PostgreSQL there is the PQescapeStringConn function which I think does what you are looking for from a PostgreSQL point of view.

See here:
http://www.postgresql.org/docs/8.2/stat ... APE-STRING

Introduced in PostgreSQL 7.3.

Regards,

Ben

Post by **mdaems** » 05.09.2007, 16:16

Ben,

Can you please do the implementation? It shouldn't be too much work:
- add the plaindriver function if it's not present yet.
- override the function in the zdbcpostgresconnection.

just post your changed files or a SVN patch here.

Mark

rjuju · Post by **rjuju** » 16.01.2012, 11:51

Hi.
I'm planning to switch my postgresql db to 9.1 with standard_conforming_strings to on, so I have a similar problem.

For example, while using TDBEdit with TZQuery, if I write "let's" zeos will write a query with "let\047s", which doesn't work without E before ( E'let\047s' )

Is there a solution, like a patch with the PQescapeString function to escape string ?

Thank you