Documentation Source Text

Check-in [af551e7e6d]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Explanation of the use of :-prefix host parameters for substitution in the TCL interface.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: af551e7e6d1028654363cff65f574867f974527c
User & Date: drh 2010-11-29 21:50:43
Context
2010-11-30
12:11
Minor changes to lang_dropview.html. Add section to lang.in describing resolution of object names. check-in: 6ec0e9720c user: dan tags: trunk
2010-11-29
21:50
Explanation of the use of :-prefix host parameters for substitution in the TCL interface. check-in: af551e7e6d user: drh tags: trunk
12:05
Change a sentence in lang_droptable.html. check-in: 8c82296b21 user: dan tags: trunk
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to pages/tclsqlite.in.

201
202
203
204
205
206
207

208
209
210
211
212
213
214
...
233
234
235
236
237
238
239
240















241
242
243
244
245
246
247

<blockquote><b>
a=1 b=hello<br>
a=2 b=goodbye<br>
a=3 b=howdy!</b>
</blockquote>


<p>
Tcl variable names can appear in the SQL statement of the second argument
in any position where it is legal to put a string or number literal.  The
value of the variable is substituted for the variable name.  If the
variable does not exist a NULL values is used.  For example:
</p>

................................................................................

<blockquote><b>
db1 eval {INSERT INTO t1 VALUES(5,@bigstring)}
</b></blockquote>

<p>
If the variable does not have a bytearray representation, then "@" works
just like "$".















</p>

}

##############################################################################
METHOD close {








>







 







|
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>







201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
...
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263

<blockquote><b>
a=1 b=hello<br>
a=2 b=goodbye<br>
a=3 b=howdy!</b>
</blockquote>

<tcl>hd_fragment varsubst {TCL variable substitution}</tcl>
<p>
Tcl variable names can appear in the SQL statement of the second argument
in any position where it is legal to put a string or number literal.  The
value of the variable is substituted for the variable name.  If the
variable does not exist a NULL values is used.  For example:
</p>

................................................................................

<blockquote><b>
db1 eval {INSERT INTO t1 VALUES(5,@bigstring)}
</b></blockquote>

<p>
If the variable does not have a bytearray representation, then "@" works
just like "$".  Note that ":" works like "$" in all cases so the following
is another way to express the same statement:
</p>

<blockquote><b>
db1 eval {INSERT INTO t1 VALUES(5,:bigstring)}
</b></blockquote>

<p>The use of ":" instead of "$" before the name of a variable can 
sometimes be useful if the SQL text is enclosed in "..." instead of
{...}.  When the SQL is contained within "..." then TCL will do
the substitution of $-variables, which can lead to SQL injection if
extreme care is not used.  But TCL will never substitute a :-variable
regardless of whether "..." or {...} are used to enclose the SQL, so
the use of :-variables adds an extra measure of defense against SQL
injection.
</p>

}

##############################################################################
METHOD close {