AltME: Databases

Messages

afsanehsamim
i know it dose not have any value
i do not know what should i write
BrianH
You are missing the actual values to insert. Put those in the block after the SQL string.
TomBon
yes, I see. parameterized inserts are ok but perhaps better make a rejoin.
Andreas
insert db ["insert into sql-tablename (sql-fieldname) values (?)" cgi-values/cgi-fieldname]
TomBon
afsa, the last one from andreas is fine.
BrianH
TomBon, don't encourage people to use rejoin for SQL queries. Definitely use parameterized queries. Building your own queries with rejoin is a sure recipe for SQL injection.
Andreas
i suggest to get the html+cgi echoing working first, then getting a minimal script that inserts a value into your database working, and then putting the two pieces together by extending your "echo" cgi to insert into the database
TomBon
brian, made this for year without any problems. also good for beginners.
checking for proper values and a corerct sql syntax should be always done even when parameterized.
BrianH
Nice to hear, TomBon. Nonetheless, such checking is exactly what parameterized queries do, and I often have to fix errors made by other developers who don't use them. Plus, parameterized queries are a lot quicker on most databases because the query plan gets cached.
It is always a bad idea to suggest to newbie programmers that they not use parameterized queries.
TomBon
well better first to make him clear whats going up, then make the final.
I think he is confused by this examples.
btw, how parameterized queries preventing sql injection if not serverside?
BrianH
Non-parameterized queries are an advanced topic for experienced developers, though also the subject of the worst coding horror stories :)
TomBon
well, well :)
but let's first try to help afsan, if his script is running he can improve it.
afsanehsamim
guys ...i am happy :) it is working... tnx a lot  Andreas ...
thank you TomBon and BrianH
TomBon
nice, good luck with your crossword afsan...
BrianH
With parameterized queries (even in REBOL) the SQL and the parameters are sent separately and combined in the server. The query plan is generated only once per query, with the parameter placeholders being in the plan. Then the actual parameters are plugged into the plan. The next time the parameterized query is called (maybe with differe3nt parameter values) the same plan is used and the new parameter values are plugged in.
TomBon
isn't this execution optimation?. in this case a stored procedure will help also. how will this prevent from sql injection? compared to a concatenated server side sql string?

Last message posted 111 weeks ago.