I have a ' in my TextField and SQLite complains

Emile_Schwarz · June 22, 2016, 12:32pm

Hi,

I recall earlier today that 25 years ago (or so), Excel was complaining when a text file with a single quote code[/code] was loaded. And so, I tested the addition of a ’ in a field and, yes, SQLite complains.

What can I do / must do ?

Use ReplaceAll(SourceText,"'","") // single quote surrounded with double quotes / replace ' with the curly quote () ?

Another solution (like \\') ?

Tim_Parnell · June 22, 2016, 12:46pm

Use a prepared statement and it will be handled for you.

Sascha_S · June 22, 2016, 12:49pm

Not at my Desk. Taken from my mind. May have spelling issues.

Dim ps As PreparedStatement db.Prepare("INSERT INTO myTable (myColumn) VALUES (?)") ps.Bind(0, myTextToInsert, SQLitePreparedStatement.Text) ps.SQLExecute

Albin_Kiland · June 22, 2016, 1:11pm

Get into the habit of using PreparedStatements all the time when you as a developer don’t have control over the input.
I always use it even if I am controlling the input, just to be safe.

Sascha_S · June 22, 2016, 1:44pm

[quote=273459:@Albin Kiland]Get into the habit of using PreparedStatements all the time when you as a developer don’t have control over the input.
I always use it even if I am controlling the input, just to be safe.[/quote]

There are only 2 cases in which i avoid them:

I work with User/3rd Party Input
In a Thread (but only if Number 1 is still true)

*2: Because i’ve read once, they are slow in a Thread…

Emile_Schwarz · June 22, 2016, 2:02pm

Tim, Sasha, Albin: thank you.

While this page was opening, I ws thinking: “I really have to start using PreparedStatements”.

I think that Now is the time to do that.

Use a prepared statement and it will be handled for you.
I love when it will be handled for you

Norman_P · June 22, 2016, 2:02pm

[quote=273463:@Sascha S]There are only 2 cases in which i avoid them:

I work with User/3rd Party Input
[/quote]
This is exactly when you SHOULD use them

Sascha_S · June 22, 2016, 2:19pm

OMG Norman! I am sorry for the confusion. This is exactly when i use them.
I was writing this post while i was in a Phone Conference…

There are only 2 cases in which i avoid them:

I work with NON User/3rd Party Input
In a Thread (but only if Number 1 is still true)

*2: Because i’ve read once, they are slow in a Thread…

Kem_Tekinay · June 22, 2016, 2:36pm

Have you tested this?

Sascha_S · June 22, 2016, 3:27pm

Not really (read:no)

Jean-Yves_Pochez · June 22, 2016, 4:39pm

what I don’t like about prepared statements is that they are different between databases …
they should really be unified in the syntax…

Norman_P · June 22, 2016, 5:15pm

Same as if you wrote raw sql
Different vendors have mostly similar things but lots of proprietary or non-standard bits too (functions etc)

David_Cox · June 23, 2016, 8:52am

Don’t forget that escaping characters works differently in a normal SQL command string such as UPDATE than inside a LIKE string.