On Thu, Jul 16, 2009 at 1:20 PM, Michael Schlenker<m...@contact.de> wrote: > Your working far too hard. The sqlite Tcl binding already does all thats > needed. > > This is perfectly safe: > set result [db1 eval {select * from X where label = $myStringValue and id > > $compId}] > > But you MUST use {} to quote your query and not "", so sqlite gets to do the > substitution (or better said convert things to prepared statements and bind > values correctly) and not Tcl. > > Michael
Hi Michael, Ok, I can see how this would be the easiest solution, but what I am doing is basically a query builder (maping of comands in a specialized language to pattern subselects in SQL queries). Since the statements can be nested in many different ways, I cannot expect to be able to construct the query and keeping track of variable names to be used in the final substitution, so that I can make use of the built in binding feature of sqlite.... It is much to much hard work. Instead, I think I need to make each part of the query return a complete (not to be evaluated further outside of sqlite) SQL query subselect statement, which is why I think I need to make sure that the values I insert is safe inside an SQL statement myself. Or, do you know of a Tcl command to make strings "SQL safe"? (Sorry for making this into a Tcl question now..) /Fredrik -- "Life is like a trumpet - if you don't put anything into it, you don't get anything out of it." _______________________________________________ sqlite-users mailing list sqlite-users@sqlite.org http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users