When operating the database in QT, bind the like clause with the value of the placeholder.

Source: Internet
Author: User

To improve security and prevent SQL injection when operating databases in QT, you can use named placeholders and location placeholders.

This document uses the name placeholder as an example to demonstrate how to bind a value to a placeholder in the like clause. The Code is as follows:

/* Query the maximum number of limitcnt persons in the person table by employee ID. You can use the ***** No: employee ID to be queried ** rslt: query Result ** limitcnt: Maximum number of returned results *** return value: true if successful; otherwise, false is returned. when false is returned, rslt is unavailable. * *** Note: If no matching record is found, the query is successful. */bool selpersonavailable (const qstring & No, qvector <qstring> & rslt, const int limitcnt) {static const qstring funcerrmsg = "query the maximum number of limitcnt persons from the person table by employee ID, % 1 failed to be used on the \ "recognize new card number \" interface. "; qstring SQL =" select PNAM, PNO, rno from person where PNO like: PNO and State <> 'D' limit: limitcnt "; // note, like's percent sign (%) is not directly written to the SQL string bool OK; // _ log (qstring ("NO = % 1, limitcnt = % 2 "). arg (NO ). arg (limitcnt); qsqldatabase DB = qsqldatabase: Database (db_conn_name); qsqlquery query (db); query. prepare (SQL); query. bindvalue (": PNO", qstring ("% 1% "). arg (NO); // Add a percent sign (%) query. bindvalue (": limitcnt", limitcnt1_if(query.exe C () {While (query. next () {rslt. append (query. value (0 ). tostring (); rslt. append (query. value (1 ). tostring (); rslt. append (query. value (2 ). tostring ();} // _ log (qstring ("rslt. size () = % 1 "). arg (rslt. size (); Return true;} else {_ log (query. lasterror (). text (); _ log (funcerrmsg. arg ("query.exe C ()");} return false ;}

Note: The percent sign (%) used in the like clause does not appear in the SQL string, but appears when the placeholder value is bound, in addition, the like clause cannot use single quotation marks (') in SQL strings. Because the placeholder type is a string, you do not need to use single quotation marks (') IN THE like clause ~

If the placeholder position is used, replace: PNO,: limitcnt ?, Then, when bindvalue:

Query. bindvalue (0, qstring ("% 1%"). Arg (NO); // Add a percent sign (%) query. bindvalue (1, limitcnt );

Instead of using a placeholder name, it uses a serial number. Based on the position where the placeholder appears in the SQL string, it ranges from left to right and is 0, 1, 2, 3, 4, 5, 6 ,......

Also, my database uses SQLite.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.