Subject Re: [IBO] escaping apostrophes
Author Geoff Worboys
> I'm doing something like the following, and, now that I'm
> setting the id correctly (duh!), it handles apostrophes:
...
> Sproc.ParamByName( 'title').AsString := Title_Edit.Text;
> ...
> That is, I do not need to escape a single quote with a
> second single quote. It handles Boplicity as well as
> Billy's Bounce.

I think the confusion lies with your insistence that an
apostrophe must be escaped. The only time this is necessary
is when you are creating source code (SQL statements). The
use of parameters is NOT the same as source code, they are
passed through the API and not as source strings.


Assembling some SQL source code in Pascal.

SQL.Text :=
'SELECT * FROM ATABLE WHERE ATITLE = ' + Title_Edit.Text;
Prepare;
// do whatever there are NO parameters

In this example we are creating an SQL statement (source code)
by contenating the contents of the Title_Edit to an sql select.
The above would ONLY work if the Title_Edit input included
surrounding (single) quote and any embedded quotes were escaped.


But the above example is quite different from using parameters:

SQL.Text :=
'SELECT * FROM ATABLE WHERE ATITLE = :MYPARAM';
Prepare;
ParamByName('MYPARAM').AsString := Title_Edit.Text;

In this example a complete SQL statement with parameters is
input to the dataset/proc and prepared and then the parameter
value assigned.

A parameter value is passed directly to FB in the API. It is
not converted to some sort of source string but directly as
the type of value identified during the prepare process. For
example an integer is passed as four bytes of that integer,
and not as the integer converted to string.

This means the content of Title_Edit does not need any quotes
to be accepted, and any quotes it does provide will be taken
as part of the string value by the API without any need for
escaping.


(Note that IBO does support a sort of macro processing, and
using that feature would behave more like you seem to be
thinking, because the macro processing can be used to change
the SQL statement.)

--
Geoff Worboys
Telesis Computing