问题
Hey guys I need help with this please... I am doing a PAT for school and I am doing the following how can I correct it... I want to send an entered email address, name, Id number, birth date, gender, town and all is string my statement is
Adoquery1.sql.text := 'insert into besprekings
values('email', 'name', 'Id', 'birth', 'gender', 'town')';
The fields are as follows:
Email(string), Name(string), ID(string), Birth(string), Gender(string), town(string)
This is not really homework it is a project that counts 25% of my years mark. I have finished everything but can't get this right. We have to bring in something new that we haven't learned in school and for me that is opening programs like mail(windows 8) and doing this I really apreciate everybody trying to help
回答1:
You need to use parameterized queries, to prevent SQL injection. Even though that might not be something to worry about in your app now, it's best to get in the habit of doing it right in the first place. I'll show a little of the code, and you can figure out how to finish it yourself.
First, properly populate your SQL. Specify the names of the columns you're inserting into, and the parameter names you'll be using to populate them (the parts starting with :):
ADOQuery1.SQL.Clear;
ADOQuery1.SQL.Add('INSERT INTO beskprekings (email, name, Id)');
ADOQuery1.SQL.Add('VALUES (:email, :name, :Id)');
Now put the actual values to insert into the parameters, using the same names you used in your VALUES list:
ADOQuery1.Parameters.ParamByName('email').Value := email;
ADOQuery1.Parameters.ParamByName('name').Value := name;
ADOQuery1.Parameters.ParamByName('id').Value := Id;
Now, execute the query.
The added benefit of doing it with parameterized queries is that, once it's been run once, you can simply repopulate the parameters and run it again; the database will already have done what it needs to to prepare the query (hint: the word I marked has meaning for ADO and other databases - you should look into it) so that it's much faster when you use it again and again.
来源:https://stackoverflow.com/questions/11833675/sql-query-with-variables