Recent

Author Topic: sql code not work  (Read 424 times)

cryptid

  • Newbie
  • Posts: 3
sql code not work
« on: April 02, 2021, 10:17:20 am »
sql code not work

Code: Pascal  [Select][+][-]
  1. procedure TForm1.Edit1KeyPress(Sender: TObject; var Key: char);
  2. begin
  3.   with SQLQuery1 do
  4.     begin
  5.        SQL.Clear;
  6.        SQL.Add('select * from log WHERE user LIKE"'+Edit1.Text+'%"');
  7.        Active:=True;
  8.     end;
  9. end;

[Edited to add code tags: Please see How to use the Forum.]
« Last Edit: April 02, 2021, 10:37:54 am by trev »

ttomas

  • Full Member
  • ***
  • Posts: 200
Re: sql code not work
« Reply #1 on: April 02, 2021, 10:33:22 am »
I don't see SPACE after LIKE

MarkMLl

  • Hero Member
  • *****
  • Posts: 2508
Re: sql code not work
« Reply #2 on: April 02, 2021, 10:38:06 am »
I don't see SPACE after LIKE

Well spotted, probably needs ' %'

MarkMLl
Turbo Pascal v1 on CCP/M-86, multitasking with LAN and graphics in 128Kb.
Pet hate: people who boast about the size and sophistication of their computer.
GitHub repositories: https://github.com/MarkMLl?tab=repositories

egsuh

  • Hero Member
  • *****
  • Posts: 716
Re: sql code not work
« Reply #3 on: April 02, 2021, 11:34:36 am »
Using format can be of help.

SQL.Text:= Format('select * from log where user like ''%s%%'';',  [Edit1.Text]);

%s is replaced by Edit1.Text. %% is read as %.

PierceNg

  • Full Member
  • ***
  • Posts: 104
Re: sql code not work
« Reply #4 on: April 02, 2021, 12:03:03 pm »
SQL string construction is vulnerable to SQL injection. Should use parameterization:

Code: Pascal  [Select][+][-]
  1. SQL.Text:= 'select * from log where user like :PATTERN;';
  2. Params.ParamsByName('PATTERN').AsString := Edit1.Text;

See https://bobby-tables.com/.

flori

  • Full Member
  • ***
  • Posts: 185
Re: sql code not work
« Reply #5 on: April 02, 2021, 01:30:53 pm »
Code: Pascal  [Select][+][-]
  1. SQLQuery1.Active:=false;
  2. SQLQuery1.SQL.Clear;
  3. SQLQuery1.SQL.Append('select * from log WHERE user LIKE '''+edit1.Text+'%''');
  4. SQLQuery1.Active:=true
« Last Edit: April 02, 2021, 01:32:52 pm by flori »

 

TinyPortal © 2005-2018