Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Native Development

Posts: 148
Registered: ‎04-08-2013
My Device: Blackberry 10
My Carrier: Blackberry
Accepted Solution

Creating SQLITE InsertQuery

Iam trying to make a generic function to Insert Data to specified table.What I have done so far is as follows:

   QVariantMap parametersMap;   //Assuming that Data to insert will be received as QVarient map from server.So I just added the record data to a QvarientMap

  parametersMap["title"] = "Titl1_";
  parametersMap["titleArabic"] = "tille_Arabic";  

  const  QString &value1 = parametersMap.value("title").toString();
  const QString &value2 = parametersMap.value("titleArabic").toString();
  QString insertQuery =  ("INSERT INTO customer (title, titleArabic) VALUES(:value1 ,:value2)"); 


In DbHelper class I have the function to insert data 

void dbHelper::InsertRecord(const QString Insertquery, QVariantMap parameterMap)
        QSqlDatabase database = QSqlDatabase::database();
        QSqlQuery query(database);
       const  QString &value1 = parameterMap.value("title").toString();
       const QString &value2 = parameterMap.value("titleArabic").toString();

        query.bindValue(":value2", value2);
        if( query.exec())
           alert(tr("Record created"));
            const QSqlError error = query.lastError();
            alert(tr("Create record error: %1").arg(error.text()));



As Iam using variable value1 and value2 as record values to insert Iam not able to include these variables directly in the query


What Am doing is at the insertREcord function Iam binding the variable with the value.Because of this I cant make the function generic


Myquestion  is:

)s there any way to add the variable itself as value to insert in the query.So that there will be no need to bind the variable 



Posts: 17,025
Registered: ‎07-29-2008
My Device: Z10 LE, Z30, Passport
My Carrier: O2 Germany

Re: Creating SQLITE InsertQuery

you can use QString.arg to manipulate the query string.
for example QString("INSERT INTO %1 (%2, %3) VALUES (:value1, value2)").arg("customer").arg("title").arg("titleArabic");
would create your query string above.
feel free to press the like button on the right side to thank the user that helped you.
please mark posts as solved if you found a solution.
@SimonHain on twitter
Posts: 115
Registered: ‎10-22-2012
My Device: Developer
My Carrier: Mobifone

Re: Creating SQLITE InsertQuery

Use this:


concat the string, use

bool QSqlQuery::exec ( const QString & query )

 But I recommend NOT use this because you can make Sql Injection

Like my answer if it's helpful. Mark as answer if it help you solve the problem.
Posts: 148
Registered: ‎04-08-2013
My Device: Blackberry 10
My Carrier: Blackberry

Re: Creating SQLITE InsertQuery

Hi simon thanks for ur reply.I tried this query:
QString insertQuery = ("INSERT INTO %1 (%2, %3) VALUES (:value1, value2)").arg("customer").arg("title").arg("titleArabic");

But the problem is:
I got an error msg like this:

error: request for member 'arg' in '("INSERT INTO %1 (%2, %3) VALUES (:value1, value2)")', which is of non-class type 'const char [49]'

Whatz wrong here plz help me out

Posts: 148
Registered: ‎04-08-2013
My Device: Blackberry 10
My Carrier: Blackberry

Re: Creating SQLITE InsertQuery

I got the solution,

  I tried this query 


 ("INSERT INTO customer(title, titleArabic) VALUES(\"" + value1 + "\", \"" + value2 + "\" )");

Posts: 1,524
Registered: ‎12-18-2012
My Device: Z30, Z10 LE, DevAlpha C, PlayBook

Re: Creating SQLITE InsertQuery

[ Edited ]

This is vulnerable to SQL injection. All arguments in SQL queries should be properly escaped or inserted using special tokens.

You can form the query string using the method suggested by @simon_hain, but pass all the values supplied by user or taken from unsafe sources such as network using :1 :2 etc tokens so they are properly escaped by QSqlQuery.



QString insertQuery = ("INSERT INTO %1 (%2, %3) VALUES (:value1, value2)").arg("customer").arg("title").arg("titleArabic");

 This line would compile if changed to:

QString insertQuery = QString("INSERT INTO %1 (%2, %3) VALUES (:value1, value2)").arg("customer").arg("title").arg("titleArabic");

 "" is a plain C string, but .arg() is a method of QString, so QString has to be constructed first.



Andrey Fidrya, @zmeyc on twitter