lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

* Vasanta:

> Thanks Florian for the script, actually I am calling db.insert
> below, all the bottom db.execute where it executes the query string,
> where it fails, do I have to mege the script you gave me below with
> my db.insert script?.  this is my db.insert script.

I don't know where your database connection object is located, but you
need to turn

>     if (v ~= "_ROWID_") then
>         insertPart = insertPart .. "\'" .. v .. "\', "

"v" into "conn:escape(v)|,

>        -- if post contained field already
>        if notFullKey and util.tableKeyExists(tableInput, v) then
>           valuesPart = valuesPart .. "\'" .. tableInput[v] .. "\', "

"tableInput[v]" into "conn:escape(tableInput[v])"

and so on.  This should address your problem and also avoid the
dreaded SQL injection problem (if you don't miss any such places).

LuaSQL should really, really support parametrized queries, though, but
currently, it doesn't. 8-(