\t\t\t\tIt takes 11 lines of code to do this query in PostgreSQL with binary parameters, such as non-escaped strings or binary data. Here, I pass a parameter as a string, so have to escape it to prevent SQL injection attacks.<\/p>\n
char *outTemp[3];
\nint outLengths[3];
\nint formats[3];
\nformats[0]=PQEXECPARAM_FORMAT_TEXT;
\nformats[1]=PQEXECPARAM_FORMAT_BINARY; \/\/ Always happens to be binary
\nformats[2]=PQEXECPARAM_FORMAT_BINARY; \/\/ Always happens to be binary
\nsprintf(query, “INSERT INTO FileVersionHistory(applicationID, filename, createFile, changeSetID, userName) VALUES (%i, $1::text,FALSE,%i,’%s’);”, applicationID, changeSetId, GetEscapedString(userName).C_String());
\noutTemp[0]=deletedFiles.fileList[fileListIndex].filename;
\noutLengths[0]=(int)strlen(deletedFiles.fileList[fileListIndex].filename);
\nformats[0]=PQEXECPARAM_FORMAT_TEXT;
\nresult = PQexecParams(pgConn, query,1,0,outTemp,outLengths,formats,PQEXECPARAM_FORMAT_BINARY);<\/p>\n
With my new function, ExecVaridic, it’s one line of code.<\/p>\n
result = ExecVaridic(“INSERT INTO FileVersionHistory(applicationID, filename, createFile, changeSetID, userName) VALUES (%i, %s, FALSE,%i,%s);”, applicationID, deletedFiles.fileList[fileListIndex].filename, changeSetId, userName.C_String());<\/p>\n
Why has no one thought of this before?<\/p>\n
I support binary data too.<\/p>\n
result = ExecVaridic(“INSERT INTO fileVersionHistory(binaryData) VALUES (%c)”, binaryData, binaryDataLength);<\/p>\n
%c is my own extension, to mean binary data followed by length.<\/p>\n
No string escaping necessary.<\/p>\n