Re: [lazarus] Another little help with databases
On Tue, 2007-07-17 at 21:40 +0200, Bram Kuijvenhoven wrote: > > I didn't know about ServerFilter. [/me is looking it up...] Ah, from > the SQLDB source I see the contents of ServerFilter are simply pasted > into the query (at the right place, with a WHERE () or AND () added). > I assume that this is also the intended behavior? (That is of course > no problem, as long as the user is aware of this). Yes. It obviously only works with ParseSQL set to true. It also automatically handles the refresh of the dataset. -- Met vriendelijke groeten, Joost van der Sluis CNOC Informatiesystemen en Netwerken http://www.cnoc.nl _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
Joost van der Sluis wrote: On Tue, 2007-07-17 at 08:34 +0200, Bram Kuijvenhoven wrote: German C. Basisty wrote: I have now a form with a working TPQConnection, a TSQLTransaction, a TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a TDBGrid, everithing is working fine and every product is shown on the DBGrid as expected. Now I want to add an TEdit to make posible searching products by name, for example, so when the user writes something on the Edit, the SQLQuery1.SQL should become something like ‘select * from product where name = ‘ + Edit1.Text + ’ I assume you don't want to create an SQL injection bug, so you should either properly escape Edit1.Text, or use query parameters instead; see e.g. http://wiki.freepascal.org/Secure_programming#Injection. I recommend using query parameters. You could also use a filter. Like 'tsqlquery.filter := 'name = ' + edit1.text. then the dataset is filtered in memory. But if the dataset is too big, and you only want to use a small sub-set, you could use the 'serverfilter', this way the 'filter' is added to the sql automatically. But then you can get (just like by modifying the sql yourself) an injection-bug. I didn't know about ServerFilter. [/me is looking it up...] Ah, from the SQLDB source I see the contents of ServerFilter are simply pasted into the query (at the right place, with a WHERE () or AND () added). I assume that this is also the intended behavior? (That is of course no problem, as long as the user is aware of this). Bram _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
On Tue, 2007-07-17 at 08:34 +0200, Bram Kuijvenhoven wrote: > German C. Basisty wrote: > > I have now a form with a working TPQConnection, a TSQLTransaction, a > > TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a > > TDBGrid, everithing is working fine and every product is shown on the > > DBGrid as expected. Now I want to add an TEdit to make posible searching > > products by name, for example, so when the user writes something on the > > Edit, the SQLQuery1.SQL should become something like ‘select * from > > product where name = ‘ + Edit1.Text + ’ > > I assume you don't want to create an SQL injection bug, so you should either > properly escape Edit1.Text, or use query parameters instead; see e.g. > http://wiki.freepascal.org/Secure_programming#Injection. I recommend using > query parameters. You could also use a filter. Like 'tsqlquery.filter := 'name = ' + edit1.text. then the dataset is filtered in memory. But if the dataset is too big, and you only want to use a small sub-set, you could use the 'serverfilter', this way the 'filter' is added to the sql automatically. But then you can get (just like by modifying the sql yourself) an injection-bug. -- Met vriendelijke groeten, Joost van der Sluis CNOC Informatiesystemen en Netwerken http://www.cnoc.nl _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
Bram Kuijvenhoven wrote: German C. Basisty wrote: I have now a form with a working TPQConnection, a TSQLTransaction, a TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a TDBGrid, so you should either properly escape Edit1.Text, or use query parameters instead I recommend using query parameters. Regards, Bram I totally agree in principle, but I am trying to use pretty much the same configuration as German and I am having lots of trouble getting query parameters to behave, so perhaps that is not the best idea for first experiments ... cheers, John Sunderland _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
RE: [lazarus] Another little help with databases
Thank you all for your usefull help. Best regards, German -Mensaje original- De: Bram Kuijvenhoven [mailto:[EMAIL PROTECTED] Enviado el: martes, 17 de julio de 2007 03:34 a.m. Para: lazarus@miraclec.com Asunto: Re: [lazarus] Another little help with databases German C. Basisty wrote: > I have now a form with a working TPQConnection, a TSQLTransaction, a > TSQLQuery with a 'select * from product' as SQL, a TDatasource, an a > TDBGrid, everithing is working fine and every product is shown on the > DBGrid as expected. Now I want to add an TEdit to make posible searching > products by name, for example, so when the user writes something on the > Edit, the SQLQuery1.SQL should become something like 'select * from > product where name = ' + Edit1.Text + ' I assume you don't want to create an SQL injection bug, so you should either properly escape Edit1.Text, or use query parameters instead; see e.g. http://wiki.freepascal.org/Secure_programming#Injection. I recommend using query parameters. Regards, Bram _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
German C. Basisty wrote: I have now a form with a working TPQConnection, a TSQLTransaction, a TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a TDBGrid, everithing is working fine and every product is shown on the DBGrid as expected. Now I want to add an TEdit to make posible searching products by name, for example, so when the user writes something on the Edit, the SQLQuery1.SQL should become something like ‘select * from product where name = ‘ + Edit1.Text + ’ I assume you don't want to create an SQL injection bug, so you should either properly escape Edit1.Text, or use query parameters instead; see e.g. http://wiki.freepascal.org/Secure_programming#Injection. I recommend using query parameters. Regards, Bram _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
German C. Basisty wrote: Hi again! Well, I’m still learning… I have now a form with a working TPQConnection, a TSQLTransaction, a TSQLQuery with a ‘select * from product’ as SQL, a TDatasource, an a TDBGrid, everithing is working fine and every product is shown on the DBGrid as expected. Now I want to add an TEdit to make posible searching products by name, for example, so when the user writes something on the Edit, the SQLQuery1.SQL should become something like ‘select * from product where name = ‘ + Edit1.Text + ’ Now my questions: - How do I write in pascal a “ ‘ “ inside a “ ‘ ”? I mean, in C++ I use “ as string container, but in pascal I should use ‘, so, how do I do it? Double single-quote marks: 'This is a string constant with ''quote'' in single quotes'. represents a a single quote as a string constant. - How can I do an update after I change the SQLQuery1.SQL property? I mean, if at the beginning the DBGrid shows all products, then I change the SQLQuery1.SQL property, how do I do to make the DBGrid show the new filtered content As far as I know, if you change the SQL you have close the query and reopen it. This process re-parses it, prepares it, etc. Best regards, German cheers, John Sunderland _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives
Re: [lazarus] Another little help with databases
German C. Basisty wrote: > - How do I write in pascal a " ' " inside a " ' "? I mean, in C++ I > use " as string container, but in pascal I should use ', so, how do I do it? Just use two single quotes like so: Str := 'This is a string with a '' char in it'; Regards, Andrew _ To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject archives at http://www.lazarus.freepascal.org/mailarchives