04-14-2009, 03:10 PM
|
|
Incubator
|
 |
Join Date: Aug 2004
Location: Houston, Texas
Posts: 3,613
|
|
|
I tried using string.escape() as you suggested, but like I thought, it escaped single quotes using a backslash which is incorrect, you're supposed to escape single quotes using another single quote.
I also suggest adding "parameterized queries." Which is basically when question marks in the query are replaced by function parameters to protect against SQL injection and stuff. Example:
executesql("INSERT INTO options VALUES (?,?)", {"profit", 9001}); |
Last edited by Inverness; 04-14-2009 at 05:54 PM..
|
|
|