[Qt-interest] OT: Re: Proper way to update a BLOB field
Jason H
scorp1us at yahoo.com
Wed Apr 14 17:08:29 CEST 2010
Oh dear lord. That stuff is ok to experiment with in college, but any 'real' programmer would always use the bindValue[s]() interface.
Though, I must admit, that I do use:
QSqlQuery q(QString("select x,y from tablename where w=%1").arg(keyValue));
Here, though, if keyValueis not a number, it will fail. That is the only acceptable string building. Also note that just because you got a string value from a database, it still cannot be trusted. If your GUI guy used the bind() interface, then it would only defer the injection attack until you processed it later, without the bind().
----- Original Message ----
From: Dusan Zatkovsky <msk.conf at gmail.com>
To: qt-interest at trolltech.com
Sent: Wed, April 14, 2010 10:14:40 AM
Subject: [Qt-interest] OT: Re: Proper way to update a BLOB field
On Wednesday 14 of April 2010 14:47:57 David Boosalis wrote:
> QString str = "UPDATE MyTable SET x='" + QString::number(myClass->x) +
> "', y='" + QString::number(myClass->y) +
> ", headerState" + myClass->byteArray +
> " WHERE id='" + QString::number(myClass->id));
OT, this is the best example how sql statement must !not! be constructed due
to sql injection.
--
Dusan
_______________________________________________
Qt-interest mailing list
Qt-interest at trolltech.com
http://lists.trolltech.com/mailman/listinfo/qt-interest
More information about the Qt-interest-old
mailing list