SELECT Prepared Statement

I use a SELECT command to check if the username and password hash match on login. I then use Prepared Statements for all UDPATE and INSERT INTO commands to stop SQL injections.

How can I stop someone inserting a username ‘;DROP TABLE Users’ on login ie can I use a SELECT command in a Prepared Statement?

Yes, you can use a SELECT in a Prepared Statement.

Yes, absolutely.

Samples here:

dim ps as PreparedSQLStatement = _ 
    db..Prepare( "SELECT * FROM users WHERE username = $1 AND hash = $2")
// Call BindType here if needed
dim rs as RecordSet = ps.SQLSelect( un, hash )
if db.Error then

Thank you all

I now have SELECT Prepared Statements working within SQLDatabaseMBS.

Using Perpared Statements with SQLite or PostgreSQL can mostly perfect be done with the native Xojo plugins.

Thank you @Joost Rongen , I am glad you have them working in the Xojo plugins — I assumed that this worked from the comments above.

I tend to prefer the MBS SQLDatabaseMBS plugin so I can create database agnostic applications without having multiple case statements per SQL database brand. I just thought I would inform the SQLDatabaseMBS users that they can get the same Prepared Statement functionality.

Plus, you can connect in it’s own Thread (not blocking the MainThread) :slight_smile: