|
| double quotes in value clauses |
 |
26 Feb 2008 06:39:58 -0700 |
i delphi i create sql statements on the fly to insert etc
i have found problems when data inclueds a double quote messes up the sql
cant remember but there must be a way of using a different qualifier roound the
data in the value clause
thanks
chris
|
| Post Reply
|
| Re: double quotes in value clauses |
 |
26 Feb 2008 07:07:08 -0700 |
The easiest solution is to use a parameterized query. This *always*
works.
--
Craig Stuntz [TeamB] · Vertex Systems Corp. · Columbus, OH
Delphi/InterBase Weblog : http://blogs.teamb.com/craigstuntz
Please read and follow Borland's rules for the user of their
|
| Post Reply
|
| Re: double quotes in value clauses |
 |
26 Feb 2008 07:28:40 -0700 |
can you explain what that is
i am building up a query in the code manually and ftp to a server where it is
run thru isql
how do i do i
sample here
filename := 'c:\dsmout\DSMADD-'+ controlcontrol_dsm.text +
account_number.Text + formatdatetime('yyyy-mm-dd-hh.ss',now()) + '.sql';
s:= tstringlist.create;
try
s.add ('CONNECT /data/dsmdata/interbase/amends/AMENDS.GDB user
"SYSDBA" password "masterkey";');
s.add ('DELETE FROM customers where cust_number = ' +'"' +
account_number.text + '";');
s.add ('INSERT INTO
customers(cust_number,cust_dsm,cust_date,cust_status,');
s.add
('cust_cfname,cust_cad1,cust_cad2,cust_cad3,cust_cad4,cust_cadpc,');
s.add ('cust_mobile,cust_contact,cust_phone,cust_fax)');
s.add (' VALUES ("' + account_number.Text + '","'
+ controlcontrol_dsm.Text + '","'
+ sqldate +
'","O","'
+ account_name.Text + '","'
+ acc_address1.text + '","'
+ acc_address2.text + '","'
+ acc_address3.text + '","'
+ acc_address4.text + '","'
+ acc_postcode.Text + '","'
+ acc_sec_mobile.text + '","'
"Craig Stuntz [TeamB]" <craig_stuntz@nospam.please [a.k.a.
acm.org]> wrote:
> The easiest solution is to use a parameterized query. This *always*
>works.
>
>--
>Craig Stuntz [TeamB] · Vertex Systems Corp. · Columbus, OH
> Delphi/InterBase Weblog : http://blogs.teamb.com/craigstuntz
>Please read and follow Borland's rules for the user of their
> server: http://support.borland.com/entry.jspa?externalID=293
|
| Post Reply
|
| Re: double quotes in value clauses |
 |
26 Feb 2008 09:04:20 -0700 |
thanks wayne
will the quotedstr be recognised at the server end ok
i am using firebird isql to process files when they have been sent to the
server
thanks
chris
"Wayne Niddery \(TeamB\)" <wniddery@chaffaci.on.ca> wrote:
>"chrisgi" <chrisgi@omex.com> wrote in message
>news:47c43028$1@newsgroups.borland.com...
>>
>> can you explain what that is
>
>If you are executing the query yourself then a parameterized query is
>something offered by SQL database servers to provide more efficiency - you
>only need to give it an SQL query once, and then you can execute it any
>number of times with different parameters just by passing the parameters
>instead of the entire query.
>
>However, if you need to pass a complete script to another process then this
>won't work for you very well.
>
>> s.add (' VALUES ("' + account_number.Text +
'","'
>> + controlcontrol_dsm.Text +
'","'
>> + sqldate +
'","O","'
>> + account_name.Text +
'","'
>> + acc_address1.text +
'","'
>> + acc_address2.text +
'","'
>> + acc_address3.text +
'","'
>> + acc_address4.text +
'","'
>> + acc_postcode.Text +
'","'
>> + acc_sec_mobile.text +
'","'
>
>You are using double-quotes to delimit the values, but the SQL standard is
>to use single quotes. Double quotes are supposed to be used to indicate
>metadata such as table for field names. However, just changing that won't
>solve the problem of any of your values having embedded quotes. The solution
>to both is to use the QuotedStr function.
>
> s.add (' VALUES (' + QuotedStr(account_number.Text) + ','
> + QuotedStr(controlcontrol_dsm.Text) + ','
> + // etc...
>
>
>--
>Wayne Niddery - TeamB (www.teamb.com)
>Winwright, Inc. (www.winwright.ca)
>
|
| Post Reply
|
| Re: double quotes in value clauses |
 |
Tue, 26 Feb 2008 11:03:56 -050 |
"chrisgi" <chrisgi@omex.com> wrote in message
news:47c43028$1@newsgroups.borland.com...
>
> can you explain what that is
If you are executing the query yourself then a parameterized query is
something offered by SQL database servers to provide more efficiency - you
only need to give it an SQL query once, and then you can execute it any
number of times with different parameters just by passing the parameters
instead of the entire query.
However, if you need to pass a complete script to another process then this
won't work for you very well.
> s.add (' VALUES ("' + account_number.Text +
'","'
> + controlcontrol_dsm.Text + '","'
> + sqldate +
'","O","'
> + account_name.Text + '","'
> + acc_address1.text + '","'
> + acc_address2.text + '","'
> + acc_address3.text + '","'
> + acc_address4.text + '","'
> + acc_postcode.Text + '","'
> + acc_sec_mobile.text + '","'
You are using double-quotes to delimit the values, but the SQL standard is
to use single quotes. Double quotes are supposed to be used to indicate
metadata such as table for field names. However, just changing that won't
solve the problem of any of your values having embedded quotes. The solution
to both is to use the QuotedStr function.
s.add (' VALUES (' + QuotedStr(account_number.Text) + ','
+ QuotedStr(controlcontrol_dsm.Text) + ','
+ // etc...
--
Wayne Niddery - TeamB (www.teamb.com)
Winwright, Inc. (www.winwright.ca)
|
| Post Reply
|
|
|