That’s a very personal opinion; I personally format my code, but not because I have too much time. I often write w/o syntax coloring etc. and well formatted code is always much more readable. Formatting is for me the only reason to use a non-proportinal font.
1 Like
In another IDE, that is like 200ms of “extra time” by pressing the tab key after the x…
And actually SAVES time when reading the code some time later.
2 Likes
Well, that’s bad code that is just begging for SQL injection. It should look something like
Var Values(7) As Variant
Values(0) = TF_Customer_ID.Text
Values(1) = TF_Customer_Name.Text
Values(2) = TF_Contact_Name.Text
Values(3) = TF_Address.Text
Values(4) = TF_City.Text
Values(5) = TF_Postal_Code.Text
Values(6) = TF_Country.Text
Values(7) = Record_ID
Database.ExecuteSQL("UPDATE Customers SET CustomerID = ?1, CustomerName = ?2, ContactName = ?3, Address = ?4, City = ?5, PostalCode = ?6, Country = ?7 WHERE ID = ?8;", Values)
Which might still warrant breaking the line, but doesn’t really need much to line up nicely.
3 Likes
True, this is better!
or xojo make this used method public.
+Secure(TF_City.Text)+
Don’t do that. Only the database knows the right way to sanitize its values. Escaping apostrophes, removing nulls, etc. will only get you so far. It’s not safe enough. Use parameterized queries.
1 Like
Thanks for this. I don’t know if I care enough about indenting continuations to do that, and possibly more importantly, if I decide I care that much, what does that say about me developing OCD in my advanced age, lol. Main problem is I can’t just insert spaces until it lines up, I have to note the editor position in the editor footer and then count, etc. However … if I HYPOTHETICALLY decided to do this, it would be my little secret, heh-heh!
Ivan, now this is what I’m talkin’ 'bout! You da man! One of these weekends I’ll grab that and see what I can do with it.
One thing that impresses me a great deal about Xojo is that there seem to be primitives and tools and hooks to do almost anything you might need or wish to. On the language side, I was quite surprised to find sructs, for example, or really even interfaces.
I thought I was going to have to slum it a bit. Now I don’t even have the editor’s built-in code formatting Nazi to complain about!
THANK YOU THOM.
One have work on his plate, I checked the documentation and saw from where my code far above comes:
Database.ExecuteSQL
And… I believe this is the first time I saw the full code as Thom shared above (or it is the first time I understand how it works; usually, the ,Values) part of the code is missing - and that is why I never used the CustomerIS = ?1 way of coding.
I keep the snipped on hand for future uses…
It doesn’t have to be exactly like this. I would tend to do @Thom_McGrath 's example as follows (example with 3 fields rather than 7):
Database.ExecuteSQL ("UPDATE Customers SET CustomerID = ?1, CustomerName = ?2, ContactName = ?3, TF_Customer_ID.Text, TF_Customer_Name.Text, TF_Contact_Name.Text)
This I understant too. 
xojo do the same here or not?
?8;", Values
how get the values into ?1
for me it looks like
field = ?1 is similar to field = " + arg(1, data)
because it ends up in sql query string.
Values is an array (Declared and used as)… so using
Field = ?1 …/… ;", Values)
talks to me: “Place here Values(1)…”
No it isn’t. The parameter handling in done inside the SQL system. It does not build a query string similar to yours. This also means it is not necessary to escape your single quotes if you do it this way.
1 Like
In most queries, I do the same. Sometimes I’ll use the array if I’m setting up values for two possible queries, such as an update vs insert. Or if I have a lot of them, it can be easier to keep track of. Since we’re talking about the code editor’s handling of multiple lines, it made sense to use the array. But yeah, most of the time it’s just easier include the values directly.
OT
database client library or server side?
Good question, I’m not certain, but I believe it happens on the server. The values are sent as-is, and the engine does the work inserting the records. It doesn’t actually escape anything, because it doesn’t need to.
Here’s something to consider. Should an escape routine remove null characters? If ASCII encoded, I’d say almost certainly. But if UTF-8, it should not. And what about binary data? Escaping is a complex subject, so to get it right, let the database do the heavy lifting.
Besides, it makes life more convenient. Notice how I passed the record id as an integer instead of having to worry about converting it to a string?
2 Likes
For SQLite, the database library, obvs, as there is no server.
See here:
https://documentation.xojo.com/topics/databases/protecting_your_database_from_attack.html
1 Like
obviously
This can be done in the Xojo Editor too by putting the + as first sign on the next line.
SQL_Cmd = "UPDATE Customers " _
-
"SET CustomerID='" + TF_Customer_ID.Text + "', " _ -
"CustomerName ='" + TF_Customer_Name.Text + "', " _ -
"ContactName ='" + TF_Contact_Name.Text + "', " _ -
"Address ='" + TF_Address.Text + "', " _ -
"City ='" + TF_City.Text + "', " _ -
"PostalCode ='" + TF_Postal_Code.Text + "', " _ -
"Country ='" + TF_Country.Text + "' " _ -
"WHERE ID =" + Str(Record_ID) + ";"
1 Like