Here is a sample code from the Qt documentation:

QSqlQuery query; query.prepare("INSERT INTO person (id, forename, surname) " "VALUES (:id, :forename, :surname)"); query.bindValue(":id", 1001); query.bindValue(":forename", "Bart"); query.bindValue(":surname", "Simpson"); query.exec();

Do I need to take additional measures to filter the values ​​that are passed to the bindValue method to protect against sql injection or Qt and / or the server (PostgreSQL) will do everything they need? The documentation about this does not say anything.

    1 answer 1

    Most modern database engines no longer process requests as they did in classical php, when the entire request was collected and the ready one was sent to the database. Everything works a little differently. A request with parameters is sent to the base (yes, since you wrote it - with colons, though some engines want to write with question marks instead of parameters, but Qt hides it beautifully and allows both entries). And then, a dictionary is sent to the base (a list of key-value pairs). This greatly simplifies the analysis of long expressions and naturally removes all possibilities for injections into the base.

    But this does not protect against other injections - when the values ​​stored in the database are used for output to the user, for example, to an html page.

    • Yes, here with colons, and in C # the '@' character is used. - maestro