Re: Building SQL

• Previous message: Earl: "Re: Database ADO Book"
• In reply to: Mark: "Building SQL"
• Next in thread: Jeff Johnson [MVP: VB]: "Re: Building SQL"
• Messages sorted by: [ date ] [ thread ]

Date: Sun, 19 Dec 2004 19:17:38 +1100

Don't understand what you mean by 'resolve the references' -- are you asking
how to pass data to and from your class?

Separately, you need to do a lot more work with your code to make it
reliable. Currently --

1) You're not specifying the fields into which you want the data inserted.

2) You are assuming that the fields are strings.

3) You're not checking if the argument values are valid. Your code would
fail if any of those fields were null or contained a quote character, or
were zero-length and the field won't accept zero-length strings.

4) Your code is vulnerable to SQL injection. Do a Google if you don't know
what this means.

5) Instead of rst!fields(0) you can simply use rst(0)

"Mark" <Mark@discussions.microsoft.com> wrote in message
news:2E1ACE30-3E73-4176-9505-BF434D59F194@microsoft.com...
>
> I want to build a class that builds SQL statements (given a recordset as
an
> argument). I thought it would build a string that would be sent back to
the
> user program which could then be resolved in the user program and executed
> with each new record.
>
> So if the string sent back to the user program looks like:
> strSQL = " "Insert Into " & strTable & " Values (" &
> Chr$(34) & rst!fields(0) & Chr$(34) & ", " &
> Chr$(34) & rst!fields(1) & Chr$(34) & ", " &
> Chr$(34) & rst!fields(2) & Chr$(34) & ")" "
>
> Is there any way to resolve the references in the user program so it
becomes
> an executable SQL statement (given rst and strTable = "myTable")?
>
> strSQLTwo = Insert Into myTable Values ("xyz", "1a2b3c", "123")
>
> Thanks, Mark
>

• Previous message: Earl: "Re: Database ADO Book"
• In reply to: Mark: "Building SQL"
• Next in thread: Jeff Johnson [MVP: VB]: "Re: Building SQL"
• Messages sorted by: [ date ] [ thread ]