Parse xml file, put results in mysql db

Isn't that open to SQL injection?

···

--- Jon Egil Strand <jes@luretanker.no> wrote:

>
> My first instinct would be to remove the "#{}" around the variables,
though I
> can't see that being the main issue.
>

That sounds plausible.

Usually, I don't use prepare and execute, but instead:

DBI.connect('DBI:ODBC:database') do |dbh|
  your_data_structure.each do |data|
    sql = "INSERT INTO table
        (col1,
         col2,
             col3)
     VALUES
            ('#{data.val1}',
             '#{data.val2}',
             '#{data.val3}')"
    dbh.do( sql )
  end
end

--
Jon Egil Strand
Phone: +47 98232340
jes@luretanker.no