RTFdata in Windows OS

David_Schlam · June 7, 2017, 2:37pm

Using Xojo 2013 r3.3 in Mac OS and Xojo 2015 r4.1 in Windows and Postgres 9.1

I have a bytea data field in Postgres where I am storing rtfdata in Mac. Field saves and loads perfectly in Mac. In Windows, I get a hard crash.

To load the rtfdata I use:

  dim myStr as String
  myStr= defineencoding(myStr, encodings.UTF8)
  myStr=DecodeHex(rs.Field("body").StringValue)  <---- crash in Windows occurs here
  TextArea1.StyledText.RTFData = myStr

To store the rtfdata:

    //Encode the text area to be saved as a blob (bytea in PostgreSQL)
    dim myStr as String
    myStr=WordProcessor_container1.TextArea1.StyledText.RTFData
    myStr= defineencoding(myStr, encodings.UTF8)
    myStr = "\\x"+EncodeHex(myStr)
    row.Column("body") = mystr

Is something missing here?

Emile_Schwarz · June 7, 2017, 3:45pm

You apply an encoding in an empty variable ?

Did you try tosave / load your rtfdata to / from a file (first) ?
(if so, you know these data are correct)

What myStr = "\\x"+EncodeHex(myStr) is meant to ?

Christian_Schmitz · June 7, 2017, 3:46pm

Well, why do you do the hex thing at all?
RTF is just text with format commands inside.

You could put the field into a local variable and the text it contains to inspect it.

DaveS · June 7, 2017, 3:59pm

use a preparedstatement to store it back into the database… or else you invite trouble

David_Schlam · June 7, 2017, 9:23pm

[quote=334695:@Emile Schwarz]What myStr = “\x”+EncodeHex(myStr) is meant to ?

[/quote]
Postgres requires \x before a hex file

[quote=334696:@Christian Schmitz]Well, why do you do the hex thing at all?
RTF is just text with format commands inside.

[/quote]
I didn’t realize this. Will try it.

Not sure how this would apply here.

DaveS · June 7, 2017, 9:35pm

look up SQL Injection and you will…
Someone could very easily create an RTF document crafted in a manner that would wipe out your database.

Search this forum for “Little Bobby Tables”

David_Schlam · June 7, 2017, 11:05pm

[quote=334808:@Dave S]look up SQL Injection and you will…
Someone could very easily create an RTF document crafted in a manner that would wipe out your database.

Search this forum for “Little Bobby Tables”

[/quote]
So, if we encode the rtf data into hex, does that eliminate (or severely reduce) the chances of SQL Injection?

DaveS · June 7, 2017, 11:12pm

yes…
however, I would start to get used to prepared statements, as this isn’t going to be the only database application you may write, and I’d learn it now rather than later.

To be honest, it was something that I myself avoided for the longest time… but the app I am working on right now, would be either impossible or dangerous (injection wise) without prepared statements.

Tim_Hare · June 8, 2017, 3:19am

[quote=334686:@David Schlam]dim myStr as String
myStr= defineencoding(myStr, encodings.UTF8)
myStr=DecodeHex(rs.Field(“body”).StringValue) <---- crash in Windows occurs here
TextArea1.StyledText.RTFData = myStr
[/quote]
DefineEncoding does nothing here, since you just throw away the (empty) string anyway and replace it with a brand new string which has no encoding. Try

dim myStr as String
myStr=rs.Field("body").StringValue
myStr= defineencoding(myStr, encodings.UTF8)
myStr=DecodeHex(myStr)
TextArea1.StyledText.RTFData = myStr

DatabaseRecord uses a preparedstatement already, so the code he posted is ok.

David_Schlam · June 8, 2017, 11:39am

[quote=334897:@Tim Hare]DatabaseRecord uses a preparedstatement already, so the code he posted is ok.

[/quote]
So, if you use RecordSet.Edit or Database.InsertRecord, you are actually using a PreparedStatement? That’s good to know.

Although, Xojo preparedstatement wasn’t that hard to set up, RecordSet.Edit and Database.InsertRecord are definitely easier to work with.

Neil_Burkholder · June 8, 2017, 11:44am

Just an FYI for SQLite and PostgreSQL rs.edit / rs.update is much slower than the equivalent SQL. In MS Access the reverse is true. According to my tests.

David_Schlam · June 8, 2017, 12:04pm

I did have to change a number of records using a loop in Xojo which I did first using rs.update, and then (nothing ever goes as planned the first time) using a preparedstatement. I did notice a dramatic speed increase using preparedstatement (Postgres).

I’m a little confused though about binding. From the documentation:

[code]Dim ps As PostgreSQLPreparedStatement = _
db.Prepare(“SELECT * FROM Persons WHERE Name = $1 AND Age >= $2”)

ps.Bind(0, “john”)
ps.Bind(1, 20)[/code]

the first parameter in ps.bind, 0, binds the following parameter in ps.bind, “John”, to the first variable in postgres, $1? So, if I’m correct, the first parameter in ps.bind is zero based and the postgres parameters are 1 based.

So, it’s kind of similar to rs.edit / rs.update but you get the advantage of a dramatic speed increase.

Neil_Burkholder · June 8, 2017, 1:31pm

Yes that does seem a little strange. I guess I’m so used to it that I don’t think about it.