Lua insert statement

Question

I'm having problems with my insert statement:

Create = function (LN,FN,Add,Tel,Cell)
    LastName = tostring(LN);
    FirstName = tostring(FN);
    Address = tostring(Add);
    Telephone =tostring(Tel); 
    Cellphone = tostring(Cell);

--source of the problem

conn:execute([[INSERT INTO book(LastName, FirstName, Address, Telephone, Cellphone) VALUES ("]]"'"LastName"','"FirstName"','" Address"','" Telephone"','" Cellphone")]]'")

 print ("\n Creating an account Successful")
 end

`conn:execute([[INSERT INTO book(LastName, FirstName, Address, Telephone, Cellphone) VALUES (']]..LastName.."','"..FirstName.."','"..Address.."','"..Telephone.."','"..Cellphone.."')")` — Egor Skriptunoff, Apr 18 '14 at 07:54
Please look into prepared statements and data binding. String concatenation is less efficient and leads to injection attacks. — Colonel Thirty Two, Apr 18 '14 at 11:53

hjpotter92 · Answer 1 · 2014-04-18T11:04:57.520

3

I'd suggest that you use the string.format for placing the data:

Create = function (LN,FN,Add,Tel,Cell)
    local LastName, FirstName, Address, Telephone, Cellphone = tostring(LN), tostring(FN), tostring(Add), =tostring(Tel), tostring(Cell)
    local sQuery = [[INSERT INTO book(LastName, FirstName, Address, Telephone, Cellphone) VALUES ('%s', '%s', '%s', '%s', '%s')]]
    conn:execute( sQuery:format(LastName, FirstName, Address, Telephone, Cellphone) )

edited Apr 18 '14 at 11:04

answered Apr 18 '14 at 09:58

hjpotter92

78,589
36
144
183

You might want to correct the typo on sQeury in the conn:execute – Jane T Apr 18 '14 at 11:04

Lua insert statement

1 Answers1