Details
-
Suggestion
-
Resolution: Unresolved
-
Not Evaluated
-
None
-
6.6.3, 6.8
Description
This Microsoft's official document says:
- Prepared execution should not be used for statements executed a single time.
- SQLBindParameter does not require the use of SQLPrepare, it can be used with SQLExecDirect.
- Do not use SQLPrepare with SQLBindParameter unless the same statement will be executed multiple times.
QSqlQuery offers
bool QSqlQuery::exec(const QString &query)
for query execution without prepare().
However, this function does not support SQL queries with bind parameters.
This is a problem for users want to use the bind parameters as a protection for a SQL injection, even for a one-time SQL query.
Please consider adding a new feature to "QSqlQuery::exec(const QString &query)" so that it can handle SQL queries with bound parameters.