All geek questions in one place

Delphi / MySql: string escaping issues

N00b is here having string escaping issues. I used the function QuotedStr () - this is not enough.

Unfortunately, the line I'm trying to quote is pretty messy, but I'll post it here if someone wants to paste it into WinMerge or KDiff3, etc.

I am trying to save the entire Delphi form in a database, not a .DFM file. It has only one field, TEdit edit field.

The debugger displays the form as text

'object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = 'MS Sans Serif''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' 'Visible=False')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A

before calling QuotedStr () and

 ''object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = ''MS Sans Serif'''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' ''Visible=False'')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A'''

later.

Strange that my complete team

 'INSERT INTO designerFormDfm(designerFormDfmText) VALUES ("'object Form1: TScriptForm'#$D#$A' Left = 0'#$D#$A' Top = 0'#$D#$A' Align = alClient'#$D#$A' BorderStyle = bsNone'#$D#$A' ClientHeight = 517'#$D#$A' ClientWidth = 993'#$D#$A' Color = clBtnFace'#$D#$A' Font.Charset = DEFAULT_CHARSET'#$D#$A' Font.Color = clWindowText'#$D#$A' Font.Height = -11'#$D#$A' Font.Name = ''MS Sans Serif'''#$D#$A' Font.Style = []'#$D#$A' OldCreateOrder = False'#$D#$A' SaveProps.Strings = ('#$D#$A' ''Visible=False'')'#$D#$A' PixelsPerInch = 96'#$D#$A' TextHeight = 13'#$D#$A' object Edit1: TEdit'#$D#$A' Left = 192'#$D#$A' Top = 64'#$D#$A' Width = 121'#$D#$A' Height = 21'#$D#$A' TabOrder = 8'#$D#$A' end'#$D#$A'end'#$D#$A''");'

is executed in the MySql console, but not from Delphi, where I pass this command as a command parameter to a function that

  ADOCommand.CommandText := command; ADOCommand.CommandType := cmdText; ADOCommand.Execute();

I can only assume that I am having problems with escpaing sequences that contain single quotes (and QuotedStr () does not seem to hide backslahes (?!))

What am I doing is obviously very bad?

+4
source share
2 answers

@mawg, the @ da-soft suggestion is fine, the best way to interact with inserts and updates is to use parameters.

check this sample

 var ADOCommand : TADOCommand; begin ADOCommand:=TADOCommand.Create(nil); try ADOCommand.Connection:=AdoConnection; ADOCommand.Parameters.Clear; ADOCommand.CommandText:='INSERT INTO designerFormDfm (designerFormDfmText) VALUES (:designerFormDfmText)'; ADOCommand.ParamCheck:=False; ADOCommand.Parameters.ParamByName('designerFormDfmText').Value:= YourData; ADOCommand.Execute; finally ADOCommand.Free; end; end;
+8
source

Short answer - use a parameterized query!

+6
source

Source: https://habr.com/ru/post/1311585/

More articles:


All Articles