...@evergreeninfo.net
>
>
> -Original Message-
> From: use-livecode [mailto:use-livecode-boun...@lists.runrev.com] On
> Behalf Of Peter Haworth
> Sent: Thursday, July 30, 2015 2:47 PM
> To: How to use LiveCode
> Subject: Re: parameterized query with wildcard
&g
> Of Peter Haworth
> Sent: Thursday, July 30, 2015 2:47 PM
> To: How to use LiveCode
> Subject: Re: parameterized query with wildcard
>
> I feel I should point out that you are leaving yourself wide open to SQL
> injection attacks by not using the placeholder method of
vergreen Information Services
rdim...@evergreeninfo.net
-Original Message-
From: use-livecode [mailto:use-livecode-boun...@lists.runrev.com] On Behalf Of
Peter Haworth
Sent: Thursday, July 30, 2015 2:47 PM
To: How to use LiveCode
Subject: Re: parameterized query with wildcard
I feel I shoul
I feel I should point out that you are leaving yourself wide open to SQL
injection attacks by not using the placeholder method of passing data to
SQL statements. Not enough space to detail how that works here but just
Google "SQL injection" on the web to see a sample of the really bad things
that
>>
> >>
> >> put "%" & pSearchTerm & "%" into tSearchTerm
> >> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
> >> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
> >>
> >>
> >>
> >>
>> put "SELECT * FROM foo WHERE bar LIKE :1" into tQuery
>> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>>
>>
>>
>>
>>
>>
>> -
>> "The difference between genius and stupidity is; genius has its limits." -
>>
Turns out it is done in the system settings under keyboard in case anyone else
needs to do the same.
Bob S
On Jul 29, 2015, at 15:06 , Bob Sneidar
mailto:bobsnei...@iotecdigital.com>> wrote:
I should also mention that my mail program *DOES* substitute plain quotes for
smart ones. I am disabl
Okay I see my confusion. I can use a statement like:
select * from customers where customername LIKE '%int%’
This works. It seems however that when using parameter substitution it does
not. In sqlYoga I can use:
put sqlquery_createObject(“customers”) into qCustomerObject
put “customer name LIK
How odd. I am thinking now, that because I am passing these query arguements to
sqlYoga it is doing the macro replacement instead of SQL. Now that I think of
it, I have never used this in a direct SQL query. I am not even sure how to
construct it. Is this a web server convention? I cannot see h
When I get that value from the user it is scrubbed and then put into the SQL
with the merge.
> On Jul 29, 2015, at 12:18 PM, Peter Haworth wrote:
>
> But why bother? You're already putting the value into a variable so all
> that's required is use :1 and append the variable name to the revxx
But why bother? You're already putting the value into a variable so all
that's required is use :1 and append the variable name to the revxxx call.
On Wed, Jul 29, 2015 at 8:29 AM PystCat wrote:
> Not a problem... Scrub the variable before the merge... It's what I do as
> well. I have a function
If you are specifying a literal value with LIKE, then you need the single
quotes or you will get an error. If you are using a parameter variable
containing the literal, then no single quotes needed. Including the :1 in
quotes makes the query look for a string containing :1, not the contents of
th
Not a problem... Scrub the variable before the merge... It's what I do as well.
I have a function that takes the input and scrubs it... I'm away for another
week but if you're interested, when I get back I can post the handler.
> On Jul 29, 2015, at 10:35 AM, Mike Kerner wrote:
>
> The reas
If you copied and pasted it may be that the small quotes are not the right
characters. I have used this query successfully myself so I may have mistyped
something.
Bob S
> On Jul 29, 2015, at 06:31 , Mike Kerner wrote:
>
> Nope. That doesn't work, Bob. That returns nothing.
>
> On Tue, J
The reason for using parameterized queries instead of either merging or
appending is because of SQL injection.
On Wed, Jul 29, 2015 at 10:18 AM, PystCat wrote:
> Why not just use merge...?
>
> Put "John" into tVal
> Put merge("SELECT * FROM foo WHERE(bar LIKE %[[tVal]])") into pSQL
> OR
> put me
Why not just use merge...?
Put "John" into tVal
Put merge("SELECT * FROM foo WHERE(bar LIKE %[[tVal]])") into pSQL
OR
put merge("SELECT * FROM foo WHERE(bar LIKE %[[tVal]]%)") into pSQL
I do this for all of my queries and it works fine.
Paul
> On Jul 29, 2015, at 9:45 AM, Mike Kerner wrote:
If I was guessing, my hunch would be that including the single-quotes is
going to make the db look for strings containing %:1%, instead of using the
wildcards and the parameter.
On Wed, Jul 29, 2015 at 9:31 AM, Mike Kerner
wrote:
> Nope. That doesn't work, Bob. That returns nothing.
>
> On Tue
Nope. That doesn't work, Bob. That returns nothing.
On Tue, Jul 28, 2015 at 7:23 PM, Bob Sneidar
wrote:
> Should be LIKE ‘:1’ or for wild cards LIKE ‘%:1%’.
>
> If you are searching for a value at the beginning, LIKE ‘:1%’ or at the
> end, LIKE ‘%:1’
>
> If searching for all, column LIKE ‘%:1%
Should be LIKE ‘:1’ or for wild cards LIKE ‘%:1%’.
If you are searching for a value at the beginning, LIKE ‘:1%’ or at the end,
LIKE ‘%:1’
If searching for all, column LIKE ‘%:1%’ OR column LIKE ‘:1%’ OR column LIKE
‘%:1’
HTH
Bob S
> On Jul 28, 2015, at 08:16 , Mike Kerner wrote:
>
> Has
FROM foo WHERE bar LIKE :1" into tQuery
>> >> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>> >>
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> -
>> >> "The diff
; into tQuery
> >> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
> >>
> >>
> >>
> >>
> >>
> >>
> >> -
> >> "The difference between genius and stupidity is; gen
t;>
>>
>>
>>
>> -
>> "The difference between genius and stupidity is; genius has its limits."
>> - Albert Einstein
>> --
>> View this message in context:
>> http://runtime-revolution.278305.n4.nabble.com/parameterized-quer
ECT * FROM foo WHERE bar LIKE :1" into tQuery
> get revDataFromQuery(tab, return, sDBID, tQuery, "tSearchTerm")
>
>
>
>
>
>
> -
> "The difference between genius and stupidity is; genius has its limits." -
> Albert Einstein
> --
> View this message
hTerm")
-
"The difference between genius and stupidity is; genius has its limits." -
Albert Einstein
--
View this message in context:
http://runtime-revolution.278305.n4.nabble.com/parameterized-query-with-wildcard-tp4694407p4694419.html
Sent fro
Has anybody built any queries that use both parameters and wildcards, e.g.
in a LIKE statement?
SELECT * FROM foo WHERE bar LIKE %:1%
I've tried the above (error), I've tried '%':1'%' (error), and I've tried
appending the % to the container I'm passing as my :1 (doesn't work).
I really don't wan
25 matches
Mail list logo
