I'm not sure what you mean. Should the toplevel code example be extended or removed?
/ Peter Lundqvist (disjunkt)
Previous text:
2003-10-22 06:56: Subject: Re: Proposal-patch for documentation of Sql.pike
In the last episode (Oct 22), Peter Lundqvist (disjunkt) @ Pike (-) developers forum said:
Oh, BTW. I was asked to ask to explain SQL injections yesterday. Would this ammendment be superfluous in a pike manual?
+//! This type of problems can be avoided by quoting @tt{my_input@}. +//! @tt{my_input@} would then probably read something like +//! @i{rob' OR name!='rob@}
You might want to also mention that in most cases it's cleaner to simply use bind variables, and much harder to screw up. Very rarely do you have to actually build a query string such that quote() is needed.
Two more nits:
1- The toplevel Sql description has an example of using %s printf syntax, but there's only an example of :bind syntax in the docs for query(). It'd be nice if both syntax examples were in the query() page.
2- The description for :bind substitution doesn't mention that you can just use "variable" in your mapping instead of ":variable", and I bet most people use the first style anyway.
How about two examples:
mapping m=([ ]); m->baz="value"; result=query("select foo from bar where gazonk=:baz", m);
result=query("select foo from bar where gazonk=%s", "value");
-- Dan Nelson dnelson@allantgroup.com
/ Brevbäraren