SELECT Prepared Statement

David_Cox · January 23, 2019, 4:20pm

I use a SELECT command to check if the username and password hash match on login. I then use Prepared Statements for all UDPATE and INSERT INTO commands to stop SQL injections.

How can I stop someone inserting a username ‘;DROP TABLE Users’ on login ie can I use a SELECT command in a Prepared Statement?

Jay_Madren · January 23, 2019, 4:24pm

Yes, you can use a SELECT in a Prepared Statement.

Paul_Lefebvre · January 23, 2019, 4:25pm

Yes, absolutely.

Samples here:

Kem_Tekinay · January 23, 2019, 4:26pm

dim ps as PreparedSQLStatement = _ 
    db..Prepare( "SELECT * FROM users WHERE username = $1 AND hash = $2")
// Call BindType here if needed
dim rs as RecordSet = ps.SQLSelect( un, hash )
if db.Error then
...

David_Cox · January 23, 2019, 7:15pm

Thank you all

David_Cox · January 24, 2019, 3:06pm

I now have SELECT Prepared Statements working within SQLDatabaseMBS.

Joost_Rongen · January 24, 2019, 3:21pm

Using Perpared Statements with SQLite or PostgreSQL can mostly perfect be done with the native Xojo plugins.

David_Cox · January 24, 2019, 3:28pm

Thank you @Joost Rongen , I am glad you have them working in the Xojo plugins I assumed that this worked from the comments above.

I tend to prefer the MBS SQLDatabaseMBS plugin so I can create database agnostic applications without having multiple case statements per SQL database brand. I just thought I would inform the SQLDatabaseMBS users that they can get the same Prepared Statement functionality.

Sascha_S · January 24, 2019, 4:26pm

Plus, you can connect in it’s own Thread (not blocking the MainThread)