On Tue, 2007-07-17 at 08:34 +0200, Bram Kuijvenhoven wrote: > German C. Basisty wrote: > > I have now a form with a working TPQConnection, a TSQLTransaction, a > > TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a > > TDBGrid, everithing is working fine and every product is shown on the > > DBGrid as expected. Now I want to add an TEdit to make posible searching > > products by name, for example, so when the user writes something on the > > Edit, the SQLQuery1.SQL should become something like ‘select * from > > product where name = ‘ + Edit1.Text + ’ > > I assume you don't want to create an SQL injection bug, so you should either > properly escape Edit1.Text, or use query parameters instead; see e.g. > http://wiki.freepascal.org/Secure_programming#Injection. I recommend using > query parameters.
You could also use a filter. Like 'tsqlquery.filter := 'name = ' + edit1.text. then the dataset is filtered in memory. But if the dataset is too big, and you only want to use a small sub-set, you could use the 'serverfilter', this way the 'filter' is added to the sql automatically. But then you can get (just like by modifying the sql yourself) an injection-bug. -- Met vriendelijke groeten, Joost van der Sluis CNOC Informatiesystemen en Netwerken http://www.cnoc.nl _________________________________________________________________ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
