How to correctly insert a variable into a sql query string in c++?

E

EVOSandru62014-12-02 09:27:23

MySQL

EVOSandru6, 2014-12-02 09:27:23

There is a request like this:

myQuery->SQL->Text = "SELECT  f_department.CODE, f_department.NAME FROM f_department LEFT JOIN l_modules_22_department ON l_modules_22_department.CODE_2 = f_department.CODE WHERE l_modules_22_department.CODE_1 = '"+ depBlock[i].moduleCode + "'";

Throws an error:
[BCC32 Error] Unit1.cpp(1099): E2085 Invalid pointer addition
Full parser context
Unit1.cpp(1014): parsing: void showDepFormCreate(pack *)
The error disappears if I change this way:

myQuery->SQL->Text = "SELECT  f_department.CODE, f_department.NAME FROM f_department LEFT JOIN l_modules_22_department ON l_modules_22_department.CODE_2 = f_department.CODE WHERE l_modules_22_department.CODE_1 = " + depBlock[i].moduleCode;

Thus, I lose single quotes, which is not very good in theory, help me figure it out

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

A

Armenian Radio, 2014-12-02
@gbg

Never build queries by concatenation!
Even single quotes won't save you from SQL injection. Look for how to implement prepare-execute in your mySQL library.

R

Rsa97, 2014-12-02
@Rsa97

Cast strings explicitly to AnsiString:

myQuery->SQL->Text = (AnsiString)"SELECT  f_department.CODE, f_department.NAME FROM f_department LEFT JOIN l_modules_22_department ON l_modules_22_department.CODE_2 = f_department.CODE WHERE l_modules_22_department.CODE_1 = '"
    + depBlock[i].moduleCode + (AnsiString)"'";

E

EVOSandru6, 2014-12-03
@EVOSandru6

I like this option

myQuery->SQL->Text = String("SELECT  f_department.CODE, f_department.NAME FROM f_department LEFT JOIN l_modules_22_department ON l_modules_22_department.CODE_2 = f_department.CODE WHERE l_modules_22_department.CODE_1 = ") + QuotedStr(depBlock[i].moduleCode);