I made query like this:
(sql (:select '* :from 'kupci :where (:and (:raw (if 'ime (sql (:like 'ime (concat-string "%" (parameter "ime") "%"))) t)) (:raw (if 'prezime (sql (:like 'prezime (concat-string "%" (parameter "prezime") %"))) t)))))
but it doesn't work. For example, if (:like ...) for 'ime field passes and 'prezime field is null, record will not be selected. Is the test (if 'prezime ...) ok to test that the field is not null ? Or do I have to do something like (if (/= 'prezime nil) ...) ?
On 29 January 2011 04:15, Haris fbogdanovic@xnet.hr wrote:
I made query like this:
(sql (:select '* :from 'kupci :where (:and (:raw (if 'ime (sql (:like 'ime (concat-string "%" (parameter "ime") "%"))) t))
What exactly do you think (if 'symbol ....) is doing? Why?
(:raw (if 'prezime (sql (:like 'prezime (concat-string "%" (parameter "prezime") %"))) t)))))
(if 'prezim ....) , unless i'm seriously misunderstanding :raw, is also useless and will always return the true.
but it doesn't work.
I think you're mixing up the differences between Common Lisp and S-SQL. They are not the same language and have drastically different methods of evaluation. Do you know how lisp macros work?
(macroexpand '(s-sql:sql (:raw (if 'foo 'bar 'bar))))
=> (IF 'FOO 'BAR 'BAR)
For example, if (:like ...) for 'ime field passes and 'prezime field is null, record will not be selected.
Is the test (if 'prezime ...) ok to test that the field is not null ?
No, that's cl:if, and knows nothing about the database. There is no IF expression in SQL.
SQL has a test for not null... in s-sql i think it's pronounced (:not (:is-null 'ime)) :
(macroexpand '(s-sql:sql (:not (:is-null 'ime)))) => "(not (ime IS NULL))"
Or do I have to do something like (if (/= 'prezime nil) ...) ?
I'm not at all sure why you think this work work either.... do you understand the difference between the SQL macro and CL code? :RAW simply evaluates CL code to a string and inserts that.
Also, if that's hunchentoot:parameter i see up there, you're in a lot more trouble then i thought. Google 'sql injection' to find out why.
Basically, i think it's a good idea to learn common lisp before attempting to use embedded macro languages. On Lisp is available free and has an in-depth treatment of macros... practical common lisp is also an excellent option.
Until you're comfortable with macros, you might just want to use (SANTIZED!) strings to store your queries... it seems that the SQL macro has left you very confused. Alternately, rather then writing code in a language you don't understand, spend some time learning Common Lisp before jumping into application development.
Finally, if you're going to develop web applications, or _any_ application that has users, always validate and sanitize your input before using it. please.
Cheers,
drewc
postmodern-devel mailing list postmodern-devel@common-lisp.net http://common-lisp.net/cgi-bin/mailman/listinfo/postmodern-devel
postmodern-devel@common-lisp.net
-
Drew Crampsie -
Haris