[mythtv] escaping strings in sql queries

Philippe C. Cattin cattin at vision.ee.ethz.ch
Wed Dec 24 06:16:34 EST 2003


>>I did exactly this for mythbrowser last night.
>>I was working on the very same problem for mythbrowser last night. I
>>implemented a mythbrowser specific solution, although I prefer a global
>>function to do it.
>>
>>what I found out so far is, that the single quot ', the % and _ need to
>>be escaped (the double quot " seems to work fine without escaping).
> 
> 
> So, if you like to use it in mythbrowser, too, maybe the attached escapeString 
> function in util.* is helpful. I am not sure which things need to be escaped 
> for an SQL query, the method in the patch should escape \"%_'.
> This is not tested, but taken from tested (and GPLed) kdevelop code, just the 
> escaped characters are changed. When I have time these days I'll try to apply 
> this function in all places where it makes sense, test it and provide another 
> (trivial) patch.

I decided to use the bindValue approach suggested by A. Withers. It 
seems to be a lot cleaner and simpler than to escape them by hand.

Now I have to dive into the key-binding stuff as it seems to interfere 
with mythbrowser somehow (dialogb-box navigation doesn't work as 
expected anymore).

regards, Philippe


More information about the mythtv-dev mailing list