How To : Using SQL Query Escaping
Contents |
[edit] Description
This document describes how to escape SQL queries.
[edit] Prerequisites
Connecting to an SQL Database
Creating a Class to Contain Row Data from an SQL Table
Logging in to an SQL Database
Adding CRUD Operations to a Class
[edit] Procedure
The SQLConnection Runtime Type described in the Prerequisite documents contains a function named escapeQuery which will build an SQL query using a string with '?'s to represent arguments and a collection of arguments to the SQL string. The escapeQuery function will also escape each argument in the collection as it builds the final query.
The following screen shot shows how to escape an SQL query, starting with the string preparedStatement.
- Create an expression containing the text of your query using '?' (quotes required) to represent each argument that you will pass to the query.
- Build a collection of strings, where each element in your collection is an argument, with the order of elements matching the order that the arguments will be passed to the query.
- Call SQLConnection's escapeQuery passing the query string, preparedStatement, the argument collection and a sting to contain the final query.
The following screen shot shows the buildArgCollection function used above. Notice that we converted due_date and done to strings before adding them to the collection.
[edit] Error Handling