Bug #655
closedWt::Dbo query parser: handle multi-byte UTF-8 characters
0%
Description
Currently, it appears that the query parser chokes on a query like:
select count(*) from user where name = "绠$悊鍛?"
Updated by Momo LALMI about 13 years ago
it is easy to handle this, if you are looking for user name "绠$悊鍛?" you will perhaps use a WLineEdit where the user will input "绠$悊鍛?"
after that you can just do the following :
std::string query = "select count(*) from user where name = '" + myLineEdit->text().toUTF8() + "'" ;
Updated by Koen Deforche about 13 years ago
Hey Mohammed,
Perhaps we should not fix this.
The example you give is a indeed a good example when you would hit this behavior, but it is at the same time also an example of an SQL Injection vector (which could be used by a malicious user to execute random statements on your database).
You really need to use bound parameters to safely pass user content in a query:
std::string query = "select count(*) from user where name = ?"
And subsequently bind the value. This is also potentially more efficient because the database will reuse the same prepared statement and execution strategy for the query.
Regards,
koen
Updated by Momo LALMI about 13 years ago
Hi koen,
it might be useful to write a simple example ( 3 - 4 lines of code ) to explain how to handle a WString in UTF-8 and how to bind the value :)
humm, I have to update my code to avoid SQL injection attacks ....
Regards
Mohamed
Updated by Koen Deforche about 13 years ago
- Status changed from New to Resolved
Hey Mohammed,
I am going to update the query()/find() documentation to point to parameter binding in general, and add a note about UTF-8 !
Regards,
koen
Updated by Koen Deforche about 13 years ago
- Status changed from Resolved to Closed