What is wrong with passing parameters through ParamByName, such as:
SQLQuery1.Params.ParamByName('parameter').AsString:='blah, blah' ?
Regards,
Zlatko
----- Original Message -----
From: "Alexandre Leclerc" <[EMAIL PROTECTED]>
To: <lazarus@miraclec.com>
Sent: Tuesday, August 22, 2006 8:43 PM
Subject: Re: [lazarus] parameterized queries
2006/8/21, Joost van der Sluis <[EMAIL PROTECTED]>:
On Mon, 2006-08-21 at 12:59 -0400, Alexandre Leclerc wrote:
> Simply use the StringReplace() function to replace you parameter with
> the desired value. Personally, I used the Format function...
>
> Format('select * from %s where %s', ['table','a=b']);
And what if the string %s is : ' table; drop database' ?
This was an example of the potential; second, to answer you question,
this will not work: this would result in an invalid query. Drop table
is a command in itself.
--
Alexandre Leclerc
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives