wxSQlite 3 - wxSQLite3StatementBuffer::Format  [SOLVED]

Talk here about issues with one of the components hosted at wxCode, or suggest features for it.
User avatar
doublemax
Moderator
Moderator
Posts: 12821
Joined: Fri Apr 21, 2006 8:03 pm
Location: $FCE2

wxSQlite 3 - wxSQLite3StatementBuffer::Format

Postby doublemax » Wed Mar 13, 2013 5:48 pm

Hi Ulrich,

i'm wondering about the usage/usability of wxSQLite3StatementBuffer::Format.

As its parameters are directly passed to the underlying sqlite functions, there are a few things that don't work.

E.g.
a) The format string can't contain any non-ascii chars, because it can't be wide string.

b) I can't use a wxString directly as parameter. And if i add a ToUTF8() myself to the parameter, i'm making the assumption that the implementation uses UTF8. Which is true, but i think this should be hidden

Code: Select all

wxSQLite3StatementBuffer bufSQL;
wxString value( wxT("äöüÄÖÜ O'Brian") );

// doesn't compile, because the format string is wide
bufSQL.Format( wxT("INSERT INTO test VALUES(%Q);"), value);

// compiles, but doesn't work, as wxString is not passed correctly
bufSQL.Format( "INSERT INTO test VALUES(%Q);", value);

// this works, but is a pain to type if you have many parameters
bufSQL.Format( "INSERT INTO test VALUES(%Q);", (const char *)value.ToUTF8());


Using Bind is the obvious solution, but this is also much more to type.

Ideally, i'd like something like this, without wxSQLite3StatementBuffer at all:

Code: Select all

wxString s1, s2, s3;
// ...
db->ExecuteUpdate( "INSERT INTO test VALUES(%Q, %Q, %Q);", s1, s2, s3 );
Use the source, Luke!

utelle
Moderator
Moderator
Posts: 830
Joined: Tue Jul 05, 2005 10:00 pm
Location: Cologne, Germany
Contact:

Re: wxSQlite 3 - wxSQLite3StatementBuffer::Format  [SOLVED]

Postby utelle » Thu Mar 14, 2013 3:51 pm

doublemax wrote:i'm wondering about the usage/usability of wxSQLite3StatementBuffer::Format.

wxSQLite3 is a thin wrapper for SQLite3. SQLite3 offers a function for automatically quoting strings correctly. Therefore wxSQLite3StatementBuffer exists - just for completeness.

I never used wxSQLite3StatementBuffer in my own applications. And I don't recommend its use.

Probably it would have been better to omit this class right from the beginning.

doublemax wrote:As its parameters are directly passed to the underlying sqlite functions, there are a few things that don't work.

E.g.
a) The format string can't contain any non-ascii chars, because it can't be wide string.

b) I can't use a wxString directly as parameter. And if i add a ToUTF8() myself to the parameter, i'm making the assumption that the implementation uses UTF8. Which is true, but i think this should be hidden

I know these deficiencies of method wxSQLite3StatementBuffer::Format. However, it would require quite an effort to implement a generic Format method. Probably it could be done by copying the code from the wxString class and add the special Q format codes. (IMHO it's not worth the effort.)

doublemax wrote:Using Bind is the obvious solution, but this is also much more to type.

Is it really so much more to write? Using Bind is definitely the recommended way to do it. It avoids potential problems with code injection and it avoids problems with formatting for example numbers of type double or BLOBs.

doublemax wrote:Ideally, i'd like something like this, without wxSQLite3StatementBuffer at all:

Code: Select all

wxString s1, s2, s3;
// ...
db->ExecuteUpdate( "INSERT INTO test VALUES(%Q, %Q, %Q);", s1, s2, s3 );

Sorry, I do not intend to provide such a method. Preparing an SQL statement in that way is potentially dangerous ... use of wrong format codes ... SQL code injection ...

Regards,

Ulrich

User avatar
doublemax
Moderator
Moderator
Posts: 12821
Joined: Fri Apr 21, 2006 8:03 pm
Location: $FCE2

Re: wxSQlite 3 - wxSQLite3StatementBuffer::Format

Postby doublemax » Thu Mar 14, 2013 5:37 pm

Fair enough. Thanks for answering.
Use the source, Luke!


Return to “wxCode”

Who is online

Users browsing this forum: No registered users and 1 guest