Don't be a fool! Prepare statements!

10 years ago · 01c3474c48
parent 458a64d046
commit 01c3474c48
2 changed files with 5 additions and 4 deletions
--- a/display.rb
+++ b/display.rb
@ -28,9 +28,9 @@ print '	Game<input type="text" name="game" />'
 print '	<input type="submit" value="Display Rolls" />'
 print '	</form>'

-
-result = $my.query("SELECT * from rolls" + clause)
+statement = $my.prepare("SELECT * from rolls" + clause)
+result = statement.execute
 result.num_rows.times do
-	puts result.fetch_row.join("\s") + "<br />"
+	puts result.fetch.join("\s") + "<br />"
 end
 print '</html>'
--- a/roller.rb
+++ b/roller.rb
@ -4,5 +4,6 @@ require "./die"
 require "cgi"
 cgi = CGI.new
 result = roll(cgi.params["rollstring"][0].to_s)
-$my.query("INSERT INTO rolls set result='" + cgi.params["rollstring"][0] + "', roll='" + result.to_s + "', user='" + cgi.params["user"][0] + "', game='" + cgi.params["game"][0] + "'")
+statement = $my.prepare("INSERT INTO rolls set result='" + cgi.params["rollstring"][0] + "', roll='" + result.to_s + "', user='" + cgi.params["user"][0] + "', game='" + cgi.params["game"][0] + "'")
+statement.execute
 puts result