[Gambas-user] Using dates in Gambas
Benoît Minisini
g4mba5 at gmail.com
Thu May 30 15:34:06 CEST 2019
Le 30/05/2019 à 10:54, David Silverwood via User a écrit :
> Hi. Me again
>
> So this is my code...
>
> /Public Sub btnUpdate_Click()/
> //
> / $Sql = "UPDATE cashup SET ("/
> / $Sql = $Sql & "date = '" & edtDate.Text & "', "/
> / $Sql = $Sql & "ref = '" & edtTransNo.Text & "', "/
> / $Sql = $Sql & "amount = " & ValueBox1.Text & ", "/
> / $Sql = $Sql & "comment = '" & edtDescription.Text & "', "/
> / $Sql = $Sql & "WHERE date = '" & edtDate.Text & "';"/
> //
You MUST NOT make your SQL request like that.
NEVER.
███╗ ██╗███████╗██╗ ██╗███████╗██████╗ ██╗
████╗ ██║██╔════╝██║ ██║██╔════╝██╔══██╗ ██║
██╔██╗ ██║█████╗ ██║ ██║█████╗ ██████╔╝ ██║
██║╚██╗██║██╔══╝ ╚██╗ ██╔╝██╔══╝ ██╔══██╗ ╚═╝
██║ ╚████║███████╗ ╚████╔╝ ███████╗██║ ██║ ██╗
╚═╝ ╚═══╝╚══════╝ ╚═══╝ ╚══════╝╚═╝ ╚═╝ ╚═╝
You must use the substitution feature of the Exec(), Find()... methods
of the Connection object, which takes care for you of quoting SQL values
accordingly to the underlying database to prevent SQL requests injections.
And you must convert the text entered in the controls into the
corresponding datatypes (Date, Integer, Float, Boolean, String) before
passing them to the Exec(), Find()... methods.
Regards,
--
Benoît Minisini
More information about the User
mailing list