which1 Posted December 4, 2012 Share Posted December 4, 2012 Hi there, I'm experiencing the following problem : This works fine : _SQLite_Exec(-1, "UPDATE table1 SET column1 = 'Some text' WHERE table1_ID = 2") Now, take $txt is a string variable : $txt = "Some text" Of course this works fine too : _SQLite_Exec(-1, "UPDATE table1 SET column1 =" & " ' " & $txt & " ' " & " WHERE table1_ID = 2") But the following $txt raises an issue due to the quote inside the text : $txt = "It's a text" Double quote doens't help : Either the quote appears in the string command ("UPDATE table1...) and it's causing an error Or it doens't appear at all, and the text is wrong (missing it's quotes). Furthermore, $txt use to be : $txt = FileRead("C:\Programm\export_text_SQLite.txt") and use to be round 1Kb In this case, quotes are likely to be met everywhere in the text. The solution I use for now is : Local $txt = StringReplace($texte, "'", "*") before input in the Base Local $out = StringReplace($texte, "*", "'") after output from the Base But this sounds at lest artificial and tricky Link to comment Share on other sites More sharing options...
KaFu Posted December 4, 2012 Share Posted December 4, 2012 (edited) Use _SQLite_FastEscape($txt), this function in principle does what you're currently doing manually. Edited December 4, 2012 by KaFu OS: Win10-22H2 - 64bit - German, AutoIt Version: 3.3.16.1, AutoIt Editor: SciTE, Website: https://funk.eu AMT - Auto-Movie-Thumbnailer (2022-Nov-26) BIC - Batch-Image-Cropper (2023-Apr-01) COP - Color Picker (2009-May-21) DCS - Dynamic Cursor Selector (2024-Feb-16) HMW - Hide my Windows (2018-Sep-16) HRC - HotKey Resolution Changer (2012-May-16) ICU - Icon Configuration Utility (2018-Sep-16) SMF - Search my Files (2023-Jun-03) - THE file info and duplicates search tool SSD - Set Sound Device (2017-Sep-16) Link to comment Share on other sites More sharing options...
jchd Posted December 4, 2012 Share Posted December 4, 2012 Adding to KaFu's corrcet answer, you only need to escape string inputs (INSERTs). SELECT queries results don't need any kind of adjustment. This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt) Link to comment Share on other sites More sharing options...
which1 Posted December 5, 2012 Author Share Posted December 5, 2012 Thanks to both of you. Very helpful indeed ! Link to comment Share on other sites More sharing options...
Mat Posted December 5, 2012 Share Posted December 5, 2012 Adding to KaFu's corrcet answer, you only need to escape string inputs (INSERTs).SELECT queries results don't need any kind of adjustment.Heh. I can see this going very wrong when people find a way to read tables they shouldn't be. A lot of SQL implementations allow you to end a line with ; and then start a new statement in the same query.So I think it should stay as escape all user input before querying anything. AutoIt Project Listing Link to comment Share on other sites More sharing options...
jchd Posted December 5, 2012 Share Posted December 5, 2012 Sorry Mat but I don't fully get what you just say. In a sense I used a bad phrasing: every string literal used in a SQLite statement should be escaped (= meaningful single quotes must be doubled). While this is most useful for inserts or updates, it is also required for string literals in other SQL statements. I nonetheless stand behind the fact that queries result don't need any adjustment. Yes, SQLite allows multiple SQL statements in a single _SQLite_Exec call. However I fail to see what this has to do with escaping string literals. This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt) Link to comment Share on other sites More sharing options...
Mat Posted December 5, 2012 Share Posted December 5, 2012 Ah ok, so you mean data returned? I thought you meant something like this was ok: _SQLite_Exec("SELECT * FROM foo WHERE bar = '" & $userInput & "'") Where $userInput has not been escaped. That would be opening up a hole for an injection attack. Re-reading what you posted, you are right. I read it as "SELECT queries don't need any kind of adjustment. " AutoIt Project Listing Link to comment Share on other sites More sharing options...
jchd Posted December 5, 2012 Share Posted December 5, 2012 Zero problem Mat! This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe hereRegExp tutorial: enough to get startedPCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta. SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now