db.exec "update rpg_user_items set in_stash = ?", tabid
I am curious how the question mark (
?) cleans the user input. I’ve been trying to find the source of its magic in https://github.com/crystal-lang/crystal-mysql, but with no luck.
- What kind of Crystal methods does it utilize to clean (escape single quotes, etc) the user input?
- Is it similar to PHP’s mysqli::real_escape_string?
The reason I ask is because I created a Hash to query update method, and ran into some problems where single quotes were not being escaped (possible sql injection). However, when I switched to using
?, it fixed it.