Comment #1 on issue 225 by raindog...@gmail.com: No prepared statements http://code.google.com/p/gambas/issues/detail?id=225
Actually, there kind of are. While there's no method called "prepare" in the Connection class, there is the Connection.Subst method, which safely quotes parameters to the SQL statement, as well as the Connection.Quote method which quotes a single parameter. While these don't address the performance gains you get by, say, preparing a SQL statement once (which pre-compiles it in other implementations such as Perl DBI, when the DBMS supports it) and repeatedly executing it with different parameters, they do address most of the security issues with inserting parameters as strings, VB-style. As a bonus, at least compared to Perl's implementation, when you use date variables in Gambas and pass them through Quote or Subst, they're formatted SQL-style (YYYY-MM-DD) rather than needing to convert them first using strftime or something similar. ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Gambas-user mailing list Gambas-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gambas-user
