parameterized-query

How to test my ad-hoc SQL with parameters in Postgres query window

南笙酒味 提交于 2019-11-28 04:28:08
问题 In Microsoft SQL Server, to test something like this in the query window: select * from Users where LastName = @lastname I can add this before the command: declare @lastname varchar(16) set @lastname = 'Troy' But in PostgreSQL, I cannot find a similar way to do so. It seems the only thing I can do is to replace the parameter name directly with its value. It gets hard when the ad-hoc query gets complicated and the same parameter gets used several times. Is there a way? 回答1: Various options.

“Must declare the variable @myvariable” error with ADO parameterized query

亡梦爱人 提交于 2019-11-28 01:29:29
问题 i am trying to use parameterized queries with ADO. Executing the Command object throws the error: Must declare the variable '@filename' i declare the parameter @filename using CreateParameter/Append : sql := 'INSERT INTO Sqm(Filename, data) VALUES(@filename, @data)'; command := CoCommand.Create; command.Set_ActiveConnection(Connection.ConnectionObject); command.Set_CommandText(sql); command.Set_CommandType(adCmdText); command.Parameters.Append(Command.CreateParameter('@filename',

Issue with Oracle bind variables not using index properly

孤街醉人 提交于 2019-11-28 00:23:46
In my scenario, the following query runs fast (0.5 seconds on a table with 70 million rows): select * from Purchases where (purchase_id = 1700656396) and, it even runs fast using bind variables: var purchase_id number := 1700656396 select * from Purchases where (purchase_id = :purchase_id) These run fast because I have an index on the purchase_id column. (Keep reading...) I need to create a query that allows "filtering" on arbitrary columns. This means providing several input variables, and filtering on each one unless it is null . This works fine at first. For example, the following query

Bulk Parameterized Inserts

元气小坏坏 提交于 2019-11-28 00:12:58
问题 I'm trying to switch some hard-coded queries to use parameterized inputs, but I've run into a problem: How do you format the input for parameterized bulk inserts? Currently, the code looks like this: $data_insert = "INSERT INTO my_table (field1, field2, field3) "; $multiple_inserts = false; while ($my_condition) { if ($multiple_inserts) { $data_insert .= " UNION ALL "; } $data_insert .= " SELECT myvalue1, myvalue2, myvalue3 "; } $recordset = sqlsrv_query($my_connection, $data_insert); A

How to insert null value in Database through parameterized query

你。 提交于 2019-11-27 21:40:33
问题 I have a datetime datatype : dttm Also the database field type is datatime Now I am doing this: if (dttm.HasValue) { cmd.Parameters.AddWithValue("@dtb", dttm); } else { // It should insert null value into database // through cmd.Parameters.AddWithValue("@dtb", _____) } How can this be done. 回答1: Use DBNull.Value if (dttm.HasValue) { cmd.Parameters.AddWithValue("@dtb", dttm); } else { cmd.Parameters.AddWithValue("@dtb", DBNull.Value) } 回答2: This can be done using the null-coalescing operator:

Python sqlite3 parameterized drop table

半世苍凉 提交于 2019-11-27 16:12:26
I have a problem with dropping sqlite3 table in python. I am using standard sqlite3 module. self.conn = sqlite3.connect(...) sql = """ drop table ? """ self.conn.execute( sql, (u'table_name',) ) gives me OperationalError: near "?": syntax error When I change sql to: sql = """ drop table table_name """ it works fine. You cannot use parameters for table names nor column names. Alternatively you could make it a two-step process, e.g.: sql = """ drop table %s """ % a_table_name self.conn.execute( sql ) And if you're doing that you may want to explicitly specify which tables can be deleted...

Querying a SQL Server in Excel with a parameterized query using VBA

▼魔方 西西 提交于 2019-11-27 07:23:38
问题 I'm trying to query a table in Microsoft Excel using VBA. I've written up some code to try and accomplish this task, but I keep getting a run-time error '1004' saying it's a General ODBC error. I'm not sure what I need to do to get this code to run properly so I can query this table. I'm using SQL Server Express, the server I'm connecting to: .\SQLEXPRESS Database: Databaselink Querying the products table VBA Code: Sub ParameterQueryExample() '---creates a ListObject-QueryTable on Sheet1 that

Preventing SQL Injection in C

心已入冬 提交于 2019-11-27 07:06:55
问题 I am writing a C application that takes some user input and does a few database queries. I am well aware of the risks here of SQL injection and wish to prevent it. Ideally I would use parameterized queries, but have been unable to find anything with this functionality in C so far. I am currently constructing my queries as such: char *query; asprintf(&query, "UPDATE SomeTable SET SomeField='%s';", userInput); If I am unable to do this, then I must need to filter the user input. How should this

How do you specify 'DEFAULT' as a SQL parameter value in ADO.NET?

空扰寡人 提交于 2019-11-27 03:52:33
问题 I have a parameterized SQL query targetted for SQL2005 which is dynamically created in code, so I used the ADO.NET SqlParameter class to add sql parameters to SqlCommand . In the aforementioned SQL I select from a Table Valued Function with has defaults. I want my dynamic sql to sometimes specify a value for these default parameters, and other times I want to specify that the SQL DEFAULT - as defined in the Table Valued Function - should be used. To keep the code clean I didn't want to

How do I re-write a SQL query as a parameterized query?

二次信任 提交于 2019-11-27 02:28:00
I have heard that I can prevent SQL injection attacks by using parameterized queries, but I do not know how to write them. How would I write the following as a parameterized query? SqlConnection con = new SqlConnection( "Data Source=" + globalvariables.hosttxt + "," + globalvariables.porttxt + "\\SQLEXPRESS;" + "Database=ha;" + "Persist Security Info=false;" + "UID='" + globalvariables.user + "';" + "PWD='" + globalvariables.psw + "'"); string query = "SELECT distinct ha FROM app WHERE 1+1=2"; if (comboBox1.Text != "") { query += " AND firma = '" + comboBox1.Text + "'"; } if (comboBox2.Text !=
订阅 parameterized-query