Delphi Parameterised Query won't work - sql

I'm only a beginner in learning to use Parameterised Queries as I used to do a lot of concatentating before. I've been trying to get this query below to work. It is a simple 'Book' table, with a field called 'BookTitle'. I have a simple textbox where I invite the user to enter any title...and it should run the query below to find if that book exists. Below is my code that, when run, manages to compile. However, when an entry into the textbox is added and the button to run the query is pressed, a Debugger Exception Notification appears with the following statement.
Debugger Exception Notification: Project Project1.exe raised exception class EOleException with message 'Arguments are of the wrong type, are out of acceptable range, or are in conflict with one another'.
I then have the option to press 'Break' or 'Continue'. If I press 'Break', the line:
qbook.Parameters.ParamByName('BookTitle').DataType := ftString;
is filled with a purple/red colour (not sure what this means?).
That said, if I press 'Continue', the program will work as expected, and will continue to do so. Here is the code i've been testing.
procedure TForm4.btnRunQueryClick(Sender: TObject);
var BookEntry:string;
begin
BookEntry:=edtBookTitle.Text;
qbook.SQL.Text:='SELECT BookTitle FROM Book WHERE BookTitle = :BookTitle';
qbook.Parameters.ParamByName('BookTitle').DataType := ftString;
qbook.Parameters.ParamByName('BookTitle').Value := BookEntry;
qbook.Open;
end;
Further points to note: The components in my Delphi form are as follows
a TADOQuery named 'qbook',
a TDataSource,
a TDBGrid,
aTEdit into which the user enters their desired search criteria and
a TButton that once pressed, initiates the query.
With regards to the database, it is:
a MySQL database (Community Edition)
a table named 'Book', where BookID is the PK and is of INT data type.
a field entitled 'BookTitle' which i've set as VARCHAR(35). It is not part of the key. However, it is in the BookTitle field, that i want to apply my query.

NOTE: This answer was posted based on the original code in the question, which has been edited to match what is in my answer. See the question's revision history for the first version of the question on which my answer was based.
The solution you saw in the other post was correct; it was just for a standard TQuery and not TADOQuery. TADOQuery requires a couple of minor syntax changes:
Use Parameters.ParamByName() instead of Parameters
Set a DataType for each parameter before using it
Use .Value instead of .AsString
Here's a corrected version of your code (which also includes setting a value for BookTitle before using it.
procedure TForm4.btnRunQueryClick(Sender: TObject);
var
BookEntry:string;
begin
BookEntry := 'Some book title'; // or QueryEdit.Text or whatever
qbook.SQL.Text:='SELECT BookTitle FROM Book WHERE BookTitle = :BookTitle';
qbook.Parameters.ParamByName('BookTitle').DataType := ftString;
qbook.Parameters.ParamByName('BookTitle').Value := BookEntry;
qbook.Open;
end;

I have never known a string type query parameter need the datatype or whatever set, I would simply remove any reference to the datatype.
After all, if it hurts when you bang your head on a wall, just stop banging it.

Related

Setting the value of an Enum field in a temporary record

Total newbie in AL here; I'm experimenting with automated testing in Dynamics BC for a new deployment. As a very basic test, I'd like to simply create a new Item record in the Cronus test database and validate each field. I'm running into trouble when I try to select the value for an enum field. Here's the code I'm using:
Procedure AddGoodItem()
// [Given] Good item data
var
recItem: Record Item Temporary;
Begin
recItem."Description" := 'zzzz';
recItem.validate("Description");
recItem.Type := recItem.Type::Inventory;
recItem.Validate(Type);
recItem."Base Unit of Measure" := 'EA';
recItem.Validate("Base Unit of Measure");
recItem."Item Category Code" := 'FURNITURE';
recItem.validate("Item Category Code");
End;
When I run this in Cronus, I get the error:
You cannot change the Type field on Item because at least one Item Journal Line exists for this item.
If I comment the Type lines out, the process runs successfully.
Given that this is a temporary record, it shouldn't have any Item Journal Lines, should it? What am I missing?
The code in the OnValidate trigger still runs, even if you have marked the Record variable as temporary. In addition temporary is not inherited to the underlying variables meaning any Record variables used in the OnValidate trigger are not temporary (unless marked as such).
There are two options:
Leave out the line recItem.Validate(Type);, if the code run by the OnValidate trigger is not relevant in this case.
Replace the line recItem.Validate(Type); with your own clone of the code from the OnValidate trigger and then remove the unneeded parts.

How to prevent SQL Injection in PL/SQL

We have some few packages where we need to resolve some SQL Injection issues. I need some help to rewrite sql statement or sanitize the inputs. Below is the line number where veracode throw the error.
open c_ccl (p_part_nr,p_ctry_cd);
// Source code
CREATE OR REPLACE EDITIONABLE PACKAGE BODY "schema"."Test_PKG" AS
v_data t_cla_class_data;
FUNCTION nat_eccn_cd( p_part_nr IN t_part_nr, p_ctry_cd IN t_ctry_cd )
RETURN t_us_eccn_cd IS
CURSOR c_ccl(p_part_nr CHAR, p_ctry_cd CHAR) IS
SELECT NAT_CCL_CD FROM CLSDBA.CLA_EXP_PART_CTRY e
WHERE e.PART_NR = p_part_nr AND e.CTRY_CD = p_ctry_cd
ORDER BY e.VAL_FROM_DT DESC;
v_ctry_cd char(4) := p_ctry_cd;
v_trf_cd char(4);
BEGIN
v_data.nat_eccn_cd := NULL;
open c_ccl (p_part_nr,p_ctry_cd);
fetch c_ccl INTO v_data.nat_eccn_cd;
close c_ccl;
return (trim(v_data.nat_eccn_cd));
exception when others then return NULL;
end;
I don't see any SQL injection issues with your code - there is no dynamic code where the user inputs could be evaluated and escape out of the expected code flow. Unless your code snippet is generated somewhere else, or one of the column names is really a function that calls dynamic SQL, your code looks safe.
You used the phrase "sanitize the inputs", which is terrible advice for database programming. As much as I love the comic strip XKCD, Randall got this one wrong.
Bind variables are the best solution to avoiding SQL injection. I'll take this opportunity to (poorly) change his comic:

can not get a type of DBGrid Column, free pascal

I use a free pascal lazarus. I have DBGrid that loads table from DB. I created columns in designer and sqlqueries to these columns. Everything is excellent. But when i need to get type of field i get an error: Project Admin raised exception class 'External: SIGSEGV'. I do it like this:
var s:Variant;
begin
s:=Column.FieldName; // there is ok. I get right column name
s:=Column.Field.FieldKind;//here i get an error
Thanks.

Using multiple SQL queries

I have done some searching and can't find a definitive answer to this one.
I am just getting into SQL so be gentle. Using D5, TNTUnicode, Zeos and SQLite3
I have a DBGrid with all the Account names in the tblAccounts showing.
I have a DBGrid with all the Folders in the tblFolders showing.
In the OnCellClick of the Accounts grid I have an SQL query
qryFolders.Close;
qryFolders.SQL.Clear; // Not really needed as I am assigning the Text next - but :)
qryFolders.SQL.Text:=
'SELECT Folder FROM tblFolders WHERE UPPER(Account)="FIRSTTRADER"'
qryFolders.ExecSQL;
tblFolders.Refresh;
In my application, nothing happens, I still have the full list of Folders visible.
In the SQL-Expert desktop that line works fine and displays only the two Folders associated with that Account. In that app it keeps displaying the full list of Folders
If I step through the OnCellClick it shows the correct Text etc.
Where am I going wrong?
Thanks
If you want to display a Master-Detail (Account as Master, Folder as Detail), so we start from here:
// connecting the grids
AccountsDataSource.DataSet := tblAccounts;
AccountsGrid.DataSource := AccountsDataSource;
FoldersDataSource := tblFolders;
FoldersGrid.DataSource := FoldersDataSource;
// retrieving the data
tblAccounts.Open;
tblFolders.Open;
That should reflect, what you already have. Now lets go to the Master-Detail.
It should be obvious that all Query and Table Components have a valid Connection set, so I will left this out.
First be sure, the Query is not active
qryFolders.Active := False;
Having a Master-Detail with a Query as Detail, we have to set the MasterSource
qryFolders.MasterSource := AccountsDataSource;
and after that we can setup the Query with parameters to link to the fields from MasterSource. Linking to the field Account in the MasterSource is done by using :Account
qryFolders.SQL.Text :=
'SELECT Folders FROM tblFolders WHERE UPPER( Account ) = :Account';
Now, we are ready to retrieve the data
qryFolders.Open;
Until this, we will not see any changes in the FoldersGrid, because we didn't told anyone to do so. Now let's get this to work with
FoldersDataSource.DataSet := qryFolders;
In your approach, you didn't Open the Query and you didn't link the Query to the Grid.
Another option is to have a Master-Detail without a separate Query.
(It seems there were some code refactoring, so i guess this is a working sample)
tblFolders.MasterSource := AccountsDataSource;
tblFolders.MasterFields := 'Account';
tblFolders.LinkedFields := 'Account';
Reference:
SourceForge ZTestMasterDetail.pas (see line 181ff)
SourceForge ZDataset.pas

how to create Delphi 4 structure to map column names in XLS to column names in SQL

I have an EXCEL sheet.it has various form-fields that are named as
“smrBgm133GallonsGross/ smrBgm167GallonsGross “
and
“smrEgm133GallonsGross/ smrEgm167GallonsGross “
I added to the XCEL sheets 2 new form fields named
smrBgm167GrosGalnsDA/smrEgm167GrosGalnsDA
The above additons I made in EXCEL should ACTUALLy be named as
`smrBgm229GallonsGross/smrEgm229GallonsGross` because. This is a MUST for the Delphi application to function properly.
This Delphi-4 application extracts , and vewrifys the form DATA in tandem with the DB.
My Delphi-4 application works (checks/inserts/retrieves) so that current months beginning gallon of milk “bgm229” is equal to last months ending gallon of milk “egm229” , and then throw an exception if they are different.
Excel sheets:- Bgm167GrosGalnsDA/ Egm160GrosGalnsDA
Delphi Code (DB- input/ DB- output/validation):- bgm229/ egm229
SQL 2005 DB:- bgm167DA/ egm167DA
Actually the columns I ADDED should have been named asa "smrEgm133GallonsGross/ smrEgm167GallonsGross "...I messed up in naming them and they are on the production now....
In the Delphi procedure,for the beginning inventory, the code it is
ExtractFormBgmInfo(smrMilkAvMilk, 'smrBgm133');
ExtractFormBgmInfo(smrMilkDe, 'smrBgm167');
For ending inventory the code it is
ExtractFormEgmInfo(smrMilkAvMilk, 'smrEgm133');
ExtractFormEgmInfo(smrMilkDe, 'smrEgm167');
I am adding “smrBgm229GrosGalns/smrEgm229GrosGalns” to the list
But the issue is that they are named erroneously as “smrBgm167GrosGalnsDA/ smrEgm167GrosGalnsDA” IN THE EXCEL sheets, while they are to be named as 'smrBgm229/'smrEgm229''(as is the case in the Delphi code). Hence. I added ...to the above
ExtractFormBgmInfo(smrMilkAvMilk, 'smrBgm133');
ExtractFormBgmInfo(smrMilkDe, 'smrBgm167');
ExtractFormBgmInfo(smrMilkDyedDe, 'smrBgm229');
ExtractFormEgmInfo(smrMilkAvMilk, 'smrEgm133');
ExtractFormEgmInfo(smrMilkDe, 'smrEgm167');
ExtractFormEgmInfo(smrMilkDyedDe, 'smrEgm229');
This throws an error , as smrBgm229GallonsGross /smrEgm229GallonsGross are not defined in the EXCEL sheets .So the issue is how do I convert “smrBgm167GrosGalnsDA” from Excel sheets into “smrBgm229GallonsGross” and then make my “ExtractForm” statement correct?
Please help there is an release scheduled today and got to discuss this with my superirors
What you want to do is map one string to another. You can use a simple string list for that.
// Declare the variable somewhere, such as at unit scope or as a field
// of your form class
var
ColumnNameMap: TStrings;
// Somewhere else, such as unit initialization or a class constructor,
// initialize the data structure with the column-name mappings.
ColumnNameMap := TStringList.Create;
ColumnNameMap.Values['Bgm167 GrosGalns DA'] := 'bgm229/ egm229';
// In yet a third place in your code, use something like this to map
// the column name in your input to the real column name in your output.
i := ColumnNameMap.IndexOfName(ColumnName);
if i >= 0 then
RealColumnName := ColumnNameMap.Values[ColumnName]
else
RealColumnName := ColumnName;
Later versions of Delphi have the generic TDictionary class. Use TDictionary<string, string>. The TStrings solution I outlined above will have problems if any of the column names can have equals signs in them, but you can mitigate that by changing the NameValueSeparator property.
var
ColumnNameMap: TDictionary<string, string>;
ColumnNameMap := TDictionary<string, string>.Create;
ColumnNameMap.Add('Bgm167 GrosGalns DA', 'bgm229/ egm229');
if not ColumnNameMap.TryGetValue(ColumnName, RealColumnName) then
RealColumnName := ColumnName;