Joost van der Sluis wrote:
On Tue, 2007-07-17 at 08:34 +0200, Bram Kuijvenhoven wrote:
German C. Basisty wrote:
I have now a form with a working TPQConnection, a TSQLTransaction, a
TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a
TDBGrid, everithing is working fine and every product is shown on the
DBGrid as expected. Now I want to add an TEdit to make posible searching
products by name, for example, so when the user writes something on the
Edit, the SQLQuery1.SQL should become something like ‘select * from
product where name = ‘ + Edit1.Text + ’
I assume you don't want to create an SQL injection bug, so you should either
properly escape Edit1.Text, or use query parameters instead; see e.g.
http://wiki.freepascal.org/Secure_programming#Injection. I recommend using
query parameters.
You could also use a filter. Like 'tsqlquery.filter := 'name = ' +
edit1.text. then the dataset is filtered in memory. But if the dataset
is too big, and you only want to use a small sub-set, you could use the
'serverfilter', this way the 'filter' is added to the sql automatically.
But then you can get (just like by modifying the sql yourself) an
injection-bug.
I didn't know about ServerFilter. [/me is looking it up...] Ah, from the SQLDB
source I see the contents of ServerFilter are simply pasted into the query (at
the right place, with a WHERE () or AND () added). I assume that this is also
the intended behavior? (That is of course no problem, as long as the user is
aware of this).
Bram
_________________________________________________________________
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject
archives at http://www.lazarus.freepascal.org/mailarchives
