Escaping single quotes in SQL queries

L

lists

I'm trying to do something like the following with sqlite3:

message_num = '1'

message_text = "This won't work"

db = SQLite3::Database.new('/tmp/test.db')

db.execute( "INSERT INTO table VALUES('#{message_num}', '#
{message_text}');" )

The above query fails because the single quote in message_text isn't
escaped. In my actual script, message_text is part of a huge hash
fed in by another process. I thought about double quoting #
{message_text} in the SQL but that chokes if message_text contains
double quotes. Any ideas?

Thanks,
Ryan
 
Y

Yohanes Santoso

lists said:
I'm trying to do something like the following with sqlite3:

message_num = '1'

message_text = "This won't work"

db = SQLite3::Database.new('/tmp/test.db')

db.execute( "INSERT INTO table VALUES('#{message_num}', '#
{message_text}');" )

The above query fails because the single quote in message_text isn't
escaped. In my actual script, message_text is part of a huge hash
fed in by another process. I thought about double quoting #
{message_text} in the SQL but that chokes if message_text contains
double quotes. Any ideas?

Thanks,
Ryan
Click to expand...

This is prone to sql injection attack. Consider using
placeholders which is meant to relieve you of this mechanical burden.
Look at the doc for Database#execute.

Example:

db.execute('INSERT INTO table VALUES (?,?)',
message_num, message_text)


YS.
 
J

Jamis Buck

I'm trying to do something like the following with sqlite3:

message_num = '1'

message_text = "This won't work"

db = SQLite3::Database.new('/tmp/test.db')

db.execute( "INSERT INTO table VALUES('#{message_num}', '#
{message_text}');" )

The above query fails because the single quote in message_text
isn't escaped. In my actual script, message_text is part of a huge
hash fed in by another process. I thought about double quoting #
{message_text} in the SQL but that chokes if message_text contains
double quotes. Any ideas?
Click to expand...

There are (at least) two ways to handle this:

1. Use SQLite3::Database.quote:

message_text = SQLite3::Database.quote("This won't work")

2. Use bind variables:

db.execute( "INSERT INTO table VALUES (?, ?)", 1, "This won't work" )

Hope that helps,

- Jamis
 
L

lists

db.execute('INSERT INTO table VALUES (?,?)',
message_num, message_text)
Click to expand...


2. Use bind variables:

db.execute( "INSERT INTO table VALUES (?, ?)", 1, "This won't
work" )
Click to expand...


That did the trick, thanks Yohanes and Jamis!
1. Use SQLite3::Database.quote:

message_text = SQLite3::Database.quote("This won't work")
Click to expand...

I didn't know about that one (obviously) so thanks for passing that
along.

-Ryan
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Backticks with single quote inside single quotes 10
SQLite3::SQLException: SQL logic error or missing database 6
Strangeness with ruby-web and sqlite3 2
How to Handle a SQL Statement with Quotes 1
Bug in SQLite3 Ruby wrapper when results_as_hash=true? 3
Help on SQLITE3-ruby (1.2.3) Windows problem 3
ASP.Net single quotes embedded SQL multiple conditions 5
escaping single quotes in a string with gsub 5

Members online

No members online now.
Total: 20 (members: 1, guests: 19)
Robots: 197

Forum statistics

Threads
473,756
Messages
2,569,535
Members
45,008
Latest member
obedient dusk

Latest Threads

Top