Jump to content

[Solved] SQLite in AutoIt: Parameterized Queries, and Receiving the Column Names after a SELECT Query


Zohar
 Share

Recommended Posts

Hi all


I would like to ask 2 questions regarding SQLite in AutoIt:


The First Question:
Is it possible to perform Parameterized Queries on SQLite in AutoIt?


Something like this:

SQLiteCommand C  =new SQLiteCommand(DB1);

C.CommandText  =
@"
        INSERT INTO T_Users (Name_First,Name_Last)
        VALUES (@Name_First,@Name_Last)
";

C.Parameters.AddWithValue("@Name_First",Textbox_Name_First.Text);
C.Parameters.AddWithValue("@Name_Last" ,Textbox_Name_Last.Text);

C.ExecuteNonQuery();

Just in AutoIt, instead of in C# :)

 

The Second Question:
Is it possible to perform a SELECT query which returns a table,
and receive not just the Data cells, but also another First row which will include the Column Names?


As an example,
instead of receiving this:

1-Without-Column-Names.png

I wish to receive this:

2-With-Column-Names.png

 


Thank you very much

Edited by Zohar
Link to comment
Share on other sites

Hi benners


Thank you very much for your reply.

Indeed, seems that _SQLite_GetTable2d() does what I want to do in Q2,
thank you very much.


So I am now looking for an answer regarding Q1 - Parameterized Queries..
Hopefully that can be achieved too.

Currently the closest thing to it that I found (in terms of Security) is
using _SQLite_Escape() and _SQLite_Encode().

Of course these 2 functions are not Parameterized Queries,
but they do give some protection from SQL Injection.

Edited by Zohar
Link to comment
Share on other sites

I'm not too clued op on databases, I can normally get by but for Q1,  you could pass the values as parameters to the function that writes to the database. If you had a GUI with inputs for first and last name, you would use guictrlread to read the input values and pass the results to the function.

If the database field type is text, use _SQLite_Escape() or _SQLite_FastEscape() to correctly quote the strings. I suppose it's up to the programmer to sanitize any passed values to make sure they are corrrect or non-malicious.

Link to comment
Share on other sites

For Q1, here's a possible answer:

Of course the benefit is you only prepare the SQL once, but in practice having to invoke a wrapper of DllCall() for every parameter makes it often slower than a single stringized SQL statement with all parms already embedded.

About SQL injection: such thing can only happen if you don't quote the values (parms) properly.

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

11 hours ago, jchd said:

For Q1, here's a possible answer:

Of course the benefit is you only prepare the SQL once, but in practice having to invoke a wrapper of DllCall() for every parameter makes it often slower than a single stringized SQL statement with all parms already embedded.

I see.
Thank you.
It complicates the code quite much, so I will not use it..

 

11 hours ago, jchd said:

About SQL injection: such thing can only happen if you don't quote the values (parms) properly.

Well,
you can quote the parameters properly,
but if the value(s) comes from the user, and the user starts playing with the quotes (as a part of the content that he enters), then the fact that you quoted the values properly will not help..

Am I correct?


For this reason, _SQLite_Escape() and _SQLite_Encode() are a must, when running an SQL Query that includes values that come from the user.

 

BTW,
I have a question regarding _SQLite_Escape() vs _SQLite_Encode():


If you want to store Binary data ("Blob") in the DB, then obviusly you will use _SQLite_Encode().

But If you want to store a String (Text) in the DB, then technically, you can use either one of them: _SQLite_Escape() or _SQLite_Encode().

So regarding storing a String,
will it be correct to say that we should always use just _SQLite_Escape(),
or are there cases where we store a String, and _SQLite_Encode() would be the right choice?

Edited by Zohar
Link to comment
Share on other sites

Keep it simple: string -> *_Escape, binary -> *_Encode

Numeric values (at least true ones) don't pose any problem, unless you beg for problems:

Local $v = "123';drop table X;--haha, fool you"

If $v <> 0 Then
    ConsoleWrite("select * from x where id like '" & $v)
    ConsoleWrite(@CRLF)
EndIf

RULE: always sanitize user input.

EDIT: note that the example also works without the single quotes game.

Local $v = "123;drop table X;--haha, fool you"

If $v > 100 Then
    ConsoleWrite("select * from x where id like " & $v)
    ConsoleWrite(@CRLF)
EndIf

 

Edited by jchd

This wonderful site allows debugging and testing regular expressions (many flavors available). An absolute must have in your bookmarks.
Another excellent RegExp tutorial. Don't forget downloading your copy of up-to-date pcretest.exe and pcregrep.exe here
RegExp tutorial: enough to get started
PCRE v8.33 regexp documentation latest available release and currently implemented in AutoIt beta.

SQLitespeed is another feature-rich premier SQLite manager (includes import/export). Well worth a try.
SQLite Expert (freeware Personal Edition or payware Pro version) is a very useful SQLite database manager.
An excellent eBook covering almost every aspect of SQLite3: a must-read for anyone doing serious work.
SQL tutorial (covers "generic" SQL, but most of it applies to SQLite as well)
A work-in-progress SQLite3 tutorial. Don't miss other LxyzTHW pages!
SQLite official website with full documentation (may be newer than the SQLite library that comes standard with AutoIt)

Link to comment
Share on other sites

40 minutes ago, Zohar said:

Does AutoIt have Functions for Sanitizing input strings?

No, you have to do that yourself according to your requirements.

EasyCodeIt - A cross-platform AutoIt implementation - Fund the development! (GitHub will double your donations for a limited time)

DcodingTheWeb Forum - Follow for updates and Join for discussion

Link to comment
Share on other sites

  • Zohar changed the title to [Solved] SQLite in AutoIt: Parameterized Queries, and Receiving the Column Names after a SELECT Query

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...