lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


It was thus said that the Great Florian Weimer once stated:
> 
> LuaSQL should really, really support parametrized queries, though, but
> currently, it doesn't. 8-(

  You could always do something like:


-- sql_sanitize() sanitizes the SQL statement, maybe even
-- surrounding it with quotes or whatever ... 

function prepare(statement,vars)
  local function cmd(tag)
    local word = string.sub(tag,3,3)
    if type(vars[word]) == "nil" then
      return ""
    elseif type(vars[word]) == "string" then
      return sql_sanitize(vars[word])
    elseif type(vars[word]) == "function" then
      return sql_sanitize(vars[word]()
    else
      return sql_sanitize(tostring(vars[word])
    end
  end

  return string.gsub(statement,"%%{[%w%.]+}%%",cmd)     
end

  statement = prepare([[
	SELECT name,addr1,addr2,phone
	FROM %{customer}%
	WHERE
		name=%{name}%
		AND status=%{status}%]],
	{
	  customer = 'customer',
	  name     = "Robert'); DROP customers;",
	  status   = 3
	})

  connection:SQL(statement)

  -spc (Hmmm ... now where's that PHP webapp I'm supposed to be working on?)