lua-users home
lua-l archive

Re: when I insert table, value is a string contains apostrophe - it throws an error there - how to fix

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

It was thus said that the Great Florian Weimer once stated:
> 
> LuaSQL should really, really support parametrized queries, though, but
> currently, it doesn't. 8-(
 You could always do something like:
-- sql_sanitize() sanitizes the SQL statement, maybe even
-- surrounding it with quotes or whatever ... 
function prepare(statement,vars)
 local function cmd(tag)
 local word = string.sub(tag,3,3)
 if type(vars[word]) == "nil" then
 return ""
 elseif type(vars[word]) == "string" then
 return sql_sanitize(vars[word])
 elseif type(vars[word]) == "function" then
 return sql_sanitize(vars[word]()
 else
 return sql_sanitize(tostring(vars[word])
 end
 end
 return string.gsub(statement,"%%{[%w%.]+}%%",cmd) 
end
 statement = prepare([[
	SELECT name,addr1,addr2,phone
	FROM %{customer}%
	WHERE
		name=%{name}%
		AND status=%{status}%]],
	{
	 customer = 'customer',
	 name = "Robert'); DROP customers;",
	 status = 3
	})
 connection:SQL(statement)
 -spc (Hmmm ... now where's that PHP webapp I'm supposed to be working on?)

AltStyle によって変換されたページ (->オリジナル) /