Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-133051

Handling a SQL query containing place holders in QSqlQuery::exec(const QString &query)

    XMLWordPrintable

Details

    Description

      Prepared Execution

      This Microsoft's official document  says:

      • Prepared execution should not be used for statements executed a single time.
      • SQLBindParameter does not require the use of SQLPrepare, it can be used with SQLExecDirect.
      • Do not use SQLPrepare with SQLBindParameter unless the same statement will be executed multiple times.

      QSqlQuery offers 

      bool QSqlQuery::exec(const QString &query)

       for query execution without prepare().
      However, this function does not support SQL queries with bind parameters.
      This is a problem for users want to use the bind parameters as a protection for a SQL injection, even for a one-time SQL query.

      Please consider adding a new feature to "QSqlQuery::exec(const QString &query)" so that it can handle SQL queries with bound parameters.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            chehrlic Christian Ehrlicher
            hitoshiito Hitoshi Ito
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes