Inserting Xojo string held as Variable into SQLite Table

Using a Xojo WebApp SQLite Database, I can INSERT (4 literal strings) INTO 4 named columns

Self.db.ExecuteSQL(“INSERT INTO lineups (firstGuy, secondGuy, thirdGuy, fourthGuy) VALUES (‘John’, ‘Paul’, ‘George’, ‘Ringo’)”)

and I can

rs = Session.db.SelectSQL("SELECT * FROM tableName WHERE columnname = ?, xojoStringVariable)

But I can’t work out how to INSERT 4 strings held as Xojo variables INTO 4 named Columns in a table. Is this possible? And if so what is the syntax? Many thanks if you can help.

So the principal is the same:

TheSQL = “INSERT INTO lineups (firstGuy, secondGuy, thirdGuy, fourthGuy) VALUES (?,?, ?, ?)”
db.ExecuteSQL(TheSQL, EditField1.text, EditField2.text, EditField3.text, EditField4.text)

Assuming your database is setup for UTF8.

( " '"+Var1+"', '"+Var2+"', '"+Var3+"', '"+Var4+"' ") 

Please, do not do this. It is fraught with danger. Literally. Look up SQL Injection. By crafting the values put into the text fields this could do anything from deleting your entire database to giving your attacker copies of everything in there.



Just giving the OP a direction but yes SQL Injection does always have to be considered BUT not every application made is for a public facing audience

How do we know the OP did not create Var literals?
Much to consider besides just always assuming someone else is wrong

Agreed, you can also have people who work for you and just didn’t like their last pay rise.

Bad practice is bad practice. Don’t encourage sloppy programming in your own code.

1 Like

We can agree to disagree but if making yourself feel superior is satisfying to you then by all means be happy

If you think that is what I’m doing you are wrong. I am discouraging dangerous practice. Especially, when it is easier to actually do it a safe way.

Public Message Received, take care and be safe,

Indeed. I’ve certainly got it wrong in the past. Being subject to a all be it benign hack is a wakeup call I don’t want others to have.

It’s just as simple to do it the right way. There’s no benefit to doing what you suggest, so why bother.

Well thank you both for the help. Please don’t come to blows over it. I shall look up SQL injection and any potential risks before I code it.

See xkcd: Exploits of a Mom for a concise explanantion of SQL injection.


Yes I have seen that strip for many many years

SQL Injection is a real threat and does need to be taken seriously
I was saying how does anyone know that these are not variables or properties that are coded and cannot be entered by any user?

That’s like saying that since I know I unloaded the gun, playing Russian Roulette with it will be quite safe.

The answer to that is don’t take the risk at any time. Otherwise you get to doing one that does matter and are used to doing it a certain way. And then you’re dead.

Can anyone say “Alec Baldwin”

According to him the weapon fired by itself, no?

Indeed, but if you don’t ever point it at your head, or someone else you will be fine. Don’t use an SQL database without prepared statements. It then can’t go wrong.