| Subject | Re: [firebird-support] Invalid Token when trying to insert XML into a BLOB |
|---|---|
| Author | Mark Rotteveel |
| Post date | 2011-10-20T18:20:54Z |
On Thu, 20 Oct 2011 11:32:13 -0000, "dasdiohsauiguihsfda"
<thomas.bueter@...> wrote:
Here is your problem. You are concatenating the query string instead of
using prepared statements (parameterized queries). The text in your XML
contains an unescaped apostrophe, so that closes the SQL string after
'gamesdbid'. Next the parser encounters the s, which is out of place and
results in the error.
Please change your code to use prepared statements and never ever
concatenate external strings into a query; by using prepared statements you
immediately remove problems like vulnerability to SQL injection.
Mark
BTW: For more specifics on the Firebird .net provider, join the .net
provider mailinglist.
<thomas.bueter@...> wrote:
> 3. Languageis
> C# + .NET-Provider FirebirdSql.Data.FirebirdClient (Version 2.6.0, I
> couldn't get 2.6.5 to work)
>
> My Problem:
> I am building a database which heavily relies on XML-Data. The problem
> that I cannot get any XML-Data into the database, the db refuses toaccept
> the data and always throws "Token Unknown in line 3 Column 122 s" -which
> is strange, because even if I actually change the statement forinsertion
> or do an update on the xml-field, I always get "line 3 Column 122 s", itThe
> refuses to accept the XML as a value. When I use any other string (for
> example "TESTTESTTESTTESTTEST") it works however.
>
> Here is my insert statement:
> FbCommand DBCommand = new FbCommand("INSERT INTO games (name_of_game,
> info_xml) VALUES ('" + GameToInsert.Name + "', '" + XMLString + "')",
> DBConnector, DBTransaction);
> DBCommand.ExecuteNonQuery();
> DBTransaction.Commit();
>
> Now - if I do an insert on the "name_of_product"-field, it works fine.
> info_xml however refuses everything. The field is a "BLOB SUB_TYPE<snipped load of XML>
> TEXT"-type field. I cannot seem to get a grasp why this happens - can
> someone help me out here? How do I insert the XML into the db?
>
>
> Thanks in advance for your replies,
> Thomas Bueter
> and jaw-dropping graphics powered by gamesdbid's revolutionary<snipped even more XML>
Here is your problem. You are concatenating the query string instead of
using prepared statements (parameterized queries). The text in your XML
contains an unescaped apostrophe, so that closes the SQL string after
'gamesdbid'. Next the parser encounters the s, which is out of place and
results in the error.
Please change your code to use prepared statements and never ever
concatenate external strings into a query; by using prepared statements you
immediately remove problems like vulnerability to SQL injection.
Mark
BTW: For more specifics on the Firebird .net provider, join the .net
provider mailinglist.