I use a SELECT command to check if the username and password hash match on login. I then use Prepared Statements for all UDPATE and INSERT INTO commands to stop SQL injections.
How can I stop someone inserting a username ‘;DROP TABLE Users’ on login ie can I use a SELECT command in a Prepared Statement?
Yes, you can use a SELECT in a Prepared Statement.
dim ps as PreparedSQLStatement = _
db..Prepare( "SELECT * FROM users WHERE username = $1 AND hash = $2")
// Call BindType here if needed
dim rs as RecordSet = ps.SQLSelect( un, hash )
if db.Error then
I now have SELECT Prepared Statements working within SQLDatabaseMBS.
Using Perpared Statements with SQLite or PostgreSQL can mostly perfect be done with the native Xojo plugins.
Thank you @Joost Rongen , I am glad you have them working in the Xojo plugins I assumed that this worked from the comments above.
I tend to prefer the MBS SQLDatabaseMBS plugin so I can create database agnostic applications without having multiple case statements per SQL database brand. I just thought I would inform the SQLDatabaseMBS users that they can get the same Prepared Statement functionality.
Plus, you can connect in it’s own Thread (not blocking the MainThread)