[Gambas-user] Using dates in Gambas

Benoît Minisini g4mba5 at gmail.com
Thu May 30 15:34:06 CEST 2019


Le 30/05/2019 à 10:54, David Silverwood via User a écrit :
> Hi. Me again
> 
> So this is my code...
> 
> /Public Sub btnUpdate_Click()/
> //
> /    $Sql = "UPDATE cashup SET ("/
> /    $Sql = $Sql & "date = '" & edtDate.Text & "', "/
> /    $Sql = $Sql & "ref = '" & edtTransNo.Text & "', "/
> /    $Sql = $Sql & "amount = " & ValueBox1.Text & ", "/
> /    $Sql = $Sql & "comment = '" & edtDescription.Text & "', "/
> /    $Sql = $Sql & "WHERE date = '" & edtDate.Text & "';"/
> //

You MUST NOT make your SQL request like that.

NEVER.

███╗   ██╗███████╗██╗   ██╗███████╗██████╗     ██╗
████╗  ██║██╔════╝██║   ██║██╔════╝██╔══██╗    ██║
██╔██╗ ██║█████╗  ██║   ██║█████╗  ██████╔╝    ██║
██║╚██╗██║██╔══╝  ╚██╗ ██╔╝██╔══╝  ██╔══██╗    ╚═╝
██║ ╚████║███████╗ ╚████╔╝ ███████╗██║  ██║    ██╗
╚═╝  ╚═══╝╚══════╝  ╚═══╝  ╚══════╝╚═╝  ╚═╝    ╚═╝

You must use the substitution feature of the Exec(), Find()... methods 
of the Connection object, which takes care for you of quoting SQL values 
accordingly to the underlying database to prevent SQL requests injections.

And you must convert the text entered in the controls into the 
corresponding datatypes (Date, Integer, Float, Boolean, String) before 
passing them to the Exec(), Find()... methods.

Regards,

-- 
Benoît Minisini


More information about the User mailing list