Gambas Documentation
Application Repository
Code Snippets
Compilation & Installation
Controls pictures
Deprecated components
Developer Documentation
Development Environment Documentation
About The Best Formula In The World
Architecture details
By Reference Argument Passing
Compatibility between versions
Creating And Using Libraries
Database Datatype Mapping
Database Request Quoting
Date & time management
Dates and calendars
DBus and Gambas
Differences Between Shell And Exec
Differences From Visual Basic
Distributions & Operating Systems
Drag & Drop
DrawingArea Internal Behaviour
External functions datatype mapping
Frequently Asked Questions
Gambas Farm Server Protocol
Gambas Mailing List Netiquette
Gambas Markdown Syntax
Gambas Naming Conventions
Gambas Object Model
Gambas Scripting
Gambas Server Pages
Gambas Unit Testing
Gambas Wiki Markup Syntax
Getting Started With Gambas
Hall Of Fame
Image Management In Gambas
Including Help Comments in Source Code
Interpreter limits
Just In Time Compiler
Just In Time Compiler (old version)
Localisation and Internationalization
Mailing Lists & Forums
Naming Conventions
Network Programming
ODBC Component Documentation
PCRE Pattern Syntax
Porting from Gambas 2 to Gambas 3
Previous News
Project Directory Structure
Release Notes
Reporting a problem, a bug or a crash
Rich Text Syntax
Text highlighting definition file syntax
The Program has stopped unexpectedly by raising signal #11
Variable Naming Convention
WebPage Syntax
Web site home page
What Is Gambas?
Window & Form Management
Window Activation & Deactivation
Window Life Cycle
Error Messages
Gambas Playground
How To's
Language Index
Language Overviews
Last Changes
Search the wiki
To Do
Wiki License
Wiki Manual

Database Request Quoting

The methods Connection class of the database component support a quoting mechanism to build your SQL Request.

This quoting mechanism is similar to the Subst$ function, and it will allow you:
  • to build database-independent requests.

  • to avoid SQL injection.

I strongly suggest to use these methods for security reasons, and never build your requests by simple string concatenation!

The substitution methods takes a format string, and a list of arguments.

The &1, &2... patterns will be replaced by respectively the first, second... argument.

The patterns can be in any order in the format string, and can be repeated.

If you want to specify more that nine arguments, you have to enclose the argument index between { and }: &{10}, &{11}, and so on.

By default, the argument is supposed to be a SQL value, and the value is quoted according to its datatype into the result string.

Since 3.18

If a substitution pattern in enclosed with square brackets, then the argument is supposed to be a table name, and the Connection.Quote method is used to correctly quote the table name into the result string.

If a substitution pattern in enclosed with quotes or backquotes, then the argument is supposed to be a column name, and the Connection.Quote method is used to correctly quote the column name into the result string.


' Result with a SQLite database
Print DB.Subst("SELECT ** FROM [&1] WHERE '&2' = &3 ORDER BY '&4'", "Table", "Column1", "a string", "Column2")
SELECT ** FROM "Table" WHERE "Column1" = 'a string' ORDER BY "Column2"

' Result with a SQLite database
Print DB.Subst("SELECT ** FROM [&1] WHERE '&2' = &3 ORDER BY '&4'", "Schema.Table", "Column1", "a string", "Column2")
SELECT ** FROM "Schema"."Table" WHERE "Column1" = E'a string' ORDER BY "Column2"