Forum > Databases
Strip Bad SQL Characters
nugax:
Im trying to write a program that strips out bad char for SQL insert
Things liike ( ' " , ) -
I have tried TStrings but you can not access an individual char ( that I can find) to change. I have tried move but get an access violation. Can you guys assist in a better idea? Right now, I just have it dropping the bad character (which is typically a formatting char i think)
Below is where I am at, but it produces an access violation:
--- Code: Pascal [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---function StripBadSQLChar(sStringGiven: string): string;var iCnt: integer; sReturnString: string; boolBadChar: boolean; begin try iCnt := 0; boolBadChar := False; sReturnString := ''; while (iCnt < length(sStringGiven)) do begin case sStringGiven[iCnt] of #34: begin boolBadChar := True; Write('Found quote'); end; #39: begin boolBadChar := True; end; #92: begin boolBadChar := True; end else begin if (boolBadChar = False) then begin move(sStringGiven[iCnt], sReturnString[iCnt], 1); //AppendStr(sReturnString[iCnt], sStringGiven[iCnt]); //sReturnString[iCnt] := sStringGiven[iCnt]; end; end; end; Inc(iCnt); end; finally Result := sReturnString; end; end;
Zvoni:
Why don't you just replace the "Bad" Chars with EmptyStr?
EDIT: Your AV probably stems from "sReturnString[iCnt]" not existing......
You initialize sReturnString with an empty String, so even sReturnString[0] doesn't exist
nugax:
--- Quote from: Zvoni on April 21, 2022, 04:26:06 pm ---Why don't you just replace the "Bad" Chars with ''?
--- End quote ---
it would look weird.
I got it done with a simple string replace
PascalDragon:
--- Quote from: nugax on April 21, 2022, 03:48:28 pm ---Im trying to write a program that strips out bad char for SQL insert
Things liike ( ' " , ) -
--- End quote ---
Why don't you use prepared statements with parameters instead? Something like “insert into Foobar (Col1, Col2, Col3) values (:arg1, :arg2, :arg3)”? Cause then you don't need to worry about that...
kqha:
You should try to use prepared statement just like
--- Quote from: PascalDragon on April 21, 2022, 06:13:03 pm ---Why don't you use prepared statements with parameters instead? Something like “insert into Foobar (Col1, Col2, Col3) values (:arg1, :arg2, :arg3)”? Cause then you don't need to worry about that...
--- End quote ---
But in case you really need to strip them manually, it will be more readable (and less prone to error) to just write it like:
--- Code: Pascal [+][-]window.onload = function(){var x1 = document.getElementById("main_content_section"); if (x1) { var x = document.getElementsByClassName("geshi");for (var i = 0; i < x.length; i++) { x[i].style.maxHeight='none'; x[i].style.height = Math.min(x[i].clientHeight+15,306)+'px'; x[i].style.resize = "vertical";}};} ---uses StrUtils; function StripBadSQLChar(sStringGiven: string): string;begin Result := ReplaceStr(sStringGiven,#34,''); Result := ReplaceStr(Result,#39,''); Result := ReplaceStr(Result,#92,'');end;
Navigation
[0] Message Index
[#] Next page