It seems, that the prepared statements in the MushClient
interface doesn't support the binding of parameters,
however the DatabasePrepare understands the ? or ?1 syntax.
Here is what I've tried:
What I've expected from other sqlite interfaces, that DatabaseStep binds the extra parameters to ?-list of parameters.
If a dynamic parameter list is not possible to all supported script engine, I propose a new function DatabaseBind("db",1,data) to assign the first ?-occurrence the field-Data and so on prior to the DatabaseStep.
The big advantage of prepared statements with bound parameters they are type safe and the measure against sql injection.
The above example is working fine, but it just inserts an empty line instead of the real data.
interface doesn't support the binding of parameters,
however the DatabasePrepare understands the ? or ?1 syntax.
Here is what I've tried:
DatabaseExec("db",[[
CREATE TABLE IF NOT EXISTS soundcache (
filename TEXT PRIMARY KEY, -- access path
ISOtime TEXT, -- time format for If-Modified-Since
wav BLOB ) -- the content.
]] )
rc = DatabasePrepare ("db",
"INSERT OR REPLACE INTO soundcache (filename,ISOtime,wav) "..
"VALUES (?,?,?)") --> returns 0 (sqlite3.OK)
Note ("1="..rc)
rc = DatabaseStep ("db",filename,isotime,body) -- returns 101 (sqlite3.DONE)
Note ("2="..rc)
rc = DatabaseFinalize ("db") -- returns 0 (sqlite3.OK)
Note ("3="..rc)
What I've expected from other sqlite interfaces, that DatabaseStep binds the extra parameters to ?-list of parameters.
If a dynamic parameter list is not possible to all supported script engine, I propose a new function DatabaseBind("db",1,data) to assign the first ?-occurrence the field-Data and so on prior to the DatabaseStep.
The big advantage of prepared statements with bound parameters they are type safe and the measure against sql injection.
The above example is working fine, but it just inserts an empty line instead of the real data.