No prepared statements

[GoogleCodeExporter]

1) There are no prepared statements for safe(r) communication between Gambas 
and databases

Original issue reported on code.google.com by carhartt...@gmail.com on 13 Mar 2012 at 5:49

[GoogleCodeExporter]

Actually, there kind of are. While there's no method called "prepare" in the 
Connection class, there is the Connection.Subst method, which safely quotes 
parameters to the SQL statement, as well as the Connection.Quote method which 
quotes a single parameter. 

While these don't address the performance gains you get by, say, preparing a 
SQL statement once (which pre-compiles it in other implementations such as Perl 
DBI, when the DBMS supports it) and repeatedly executing it with different 
parameters, they do address most of the security issues with inserting 
parameters as strings, VB-style.

As a bonus, at least compared to Perl's implementation, when you use date 
variables in Gambas and pass them through Quote or Subst, they're formatted 
SQL-style (YYYY-MM-DD) rather than needing to convert them first using strftime 
or something similar.

Original comment by raindog...@gmail.com on 13 Mar 2012 at 6:10

[GoogleCodeExporter]

Original comment by benoit.m...@gmail.com on 14 Mar 2012 at 2:12

• Added labels: Version-TRUNK, Type-Enhancement
• Removed labels: Version, Type-Bug

[GoogleCodeExporter]

Original comment by benoit.m...@gmail.com on 28 May 2012 at 8:10

• Changed state: Accepted

[GoogleCodeExporter]

Original comment by benoit.m...@gmail.com on 15 Jul 2012 at 10:19

[GoogleCodeExporter]

Original comment by benoit.m...@gmail.com on 15 Jul 2012 at 10:56