|
Re: Dataset - More than one parameter [message #734812 is a reply to message #734810] |
Mon, 10 October 2011 03:32 |
Eclipse User |
|
|
|
Originally posted by: Donkey Hottie
10.10.2011 6:10, karvesh kirjoitti:
> Dear All
>
> I have a little issue here when it comes to passing more than one
> parameter in the sql dataset
>
> When i have only one parameter, i do the following:
> SELECT * FROM MYTABLE WHERE ID = ?
>
> and then i create a parameter in the dataset that i link to the report
> parameter. It works fine. However, what do i do if i have more than one
> parameter? I put more "?" in the sql?
>
> I read some where in the forum that there is a way like:
>
> Select * From MYTABLE where ID1 =@ID1 OR ID2 = @ID2
>
> Then in code of mydataset beforeOpen I put this script:
>
> queryText = queryText.replace("@ID1",params["param1"]);
> queryText = queryText.replace("@ID2",params["param2"]);
>
> It seems to address the issue. But is there a better way to do it?
>
> Please help me here.. Thanking you in advance..
>
> Karvesh
yes, there are better way! Your way is dangerous and vulnerable to SQL
Injection attacks (data is a http param to your app!).
Just put ?,?,? until there are enough parameters... The parameters are
numbered from 1..n and each param goes to it's ? in the string. That is
the purpose.
--
Q: Why did the astrophysicist order three hamburgers?
A: Because he was hungry.
|
|
|
|
Re: Dataset - More than one parameter [message #735045 is a reply to message #734876] |
Mon, 10 October 2011 18:26 |
Eclipse User |
|
|
|
Originally posted by: Donkey Hottie
10.10.2011 12:11, vandhanaa.r kirjoitti:
> One way we can try is to directly write the Query in
> beforeOpen() like below
>
> this.queryText = "Select * From MYTABLE where ID1 ='"+ params["param1"]
> + "' OR ID2 ='" + params["param2"] + "'";
>
Absolutely no. This creates bad software.
--
I dote on his very absence.
-- William Shakespeare, "The Merchant of Venice"
|
|
|
|
|
|
Powered by
FUDForum. Page generated in 0.06050 seconds