Problem with Mysql SQLdb connection

[gecob]

Hi to all!
I've a problem in execute this query:

Code: [Select]


conto :=  DDconto.Text;
   data := TBdata.Text;
   importo := TBimporto.Text;
   pagamento:=DDpagamento.Text;
   desc := TBdescrizione.Text;

SQLQuery1.SQL.Text:= 'Insert into entrate (tipoconto,importo,data,descrizione,tipopagamento) values (:pconto,:pimporto,:pdata,:pdesc,:ppagamento)';
   SQLQuery1.Params[0].AsString := conto;
   SQLQuery1.Params[1].AsString := importo;
   SQLQuery1.Params[2].AsString := data;
   SQLQuery1.Params[3].AsString := desc;
   SQLQuery1.Params[4].AsString := pagamento;


The exception is:
Parameters (not) yet supported for the MySQL SQLdb Connection

Is there any way to this query using the SQLdb component, or I've to use zeoslib?

[vop]

Hi

It should be possible, to do the query when you don't use parameters, like this

SQLQuery1.Sql.Text:='Insert into entrate (tipconto,....... ) values ( ' +
chr(39) + conto + Chr(39) + ',' + CHR(39) + importo + CHR(39) + ',' +
.... + ',' + CHR(39) + pagamento + CHR(39) + ')';

So what you have to do is: Create the Sql-command which contains the direct Sql (without) parameters and use chr(39) instead of ' (single quotation)

Disadvantages:
* A little less performance (not really much)
* You maybe have to escape your values, when they contain special characters like '

Hope that helps.
vop

[gecob]

Thanks!!
It works!!

[vop]

I forgot to mention a security risk of the shown way.

You have to be very careful with the contents of the variables to aware of SQL injection.
Example:
Maybe conto in the example above could have the value:
';;; DELETE * FROM SomeTable;

or something like that. So be warned!

vop