On Tue, Apr 23, 2013 at 08:47:18PM -0700, Igor Korot scratched on the wall:
> Here is the code:
>
> query = wxString::Format( "INSERT INTO playersdrafted VALUES( %d, %d, (
> SELECT ownerid FROM owners WHERE ownername = \"%s\" AND id = %d ), %d, %d,
> \"%s\" );", player.GetPlayerId(), leagueId, const_cast<CPlayer &>( player
> ).GetOwner(), leagueId, player.GetAmountPaid(), player.GetDraftOrder(),
> const_cast<CPlayer &>( player ).GetDraftedPosition() );
Two side comments:
1) SQL string-literals use ' not ".
2) Using string manipulation functions to build statements is really
bad form and can easily open the code up to SQL injection attacks
and other problems. For example, if a player's owner string has a
quote in it, this code won't work. Using bound parameters fixes
all this.
-j
--
Jay A. Kreibich < J A Y @ K R E I B I.C H >
"Intelligence is like underwear: it is important that you have it,
but showing it to the wrong people has the tendency to make them
feel uncomfortable." -- Angela Johnson
_______________________________________________
sqlite-users mailing list
[email protected]
http://sqlite.org:8080/cgi-bin/mailman/listinfo/sqlite-users
