Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have something like this:
foo { a = 1, b = 2, c = 98,3 }
I generate the insert query dynamically so end up with this:
insert foos(a,b,c) (1, 2, 98,3)
anybody knows how to workaround this ?
Simple answer: don’t use text to insert values in the first place. Use a parameterized SQL query.
This isn’t limited to numbers – it’s also particularly important for dates and times. Conceptually, you’re not dealing with a “number with a comma in” – you’re dealing with a number. SQL happens to be the way we transfer data between the database and the client, but parameterized SQL allows us to keep the values as values without a pointless and error-prone conversion to text in between. Finally, parameterized queries are highly important as a guard against SQL injection attacks when transferring text values.
Basically, separate out the idea of “values” (which go in parameters) and “SQL code” which stays in text.
Just reformatting existing SQL which contains values until it happens to work is a brittle solution at best.