I keep running into an error when I try to use the SQLite like %
sql = "SELECT * FROM us WHERE " + searchmenu.text + " LIKE %" + searchfield.text + "% ORDER BY zip"
It tells me % is syntax error, but SQLite website displays LIKE and the wildcard % as legal syntax
Try this:
sql = “SELECT * FROM us WHERE " + searchmenu.text + " LIKE '%” + searchfield.text + “%’ ORDER BY zip”
OK found my error needed a ’ before and after the two %'s
Holy SQL injections batman!
Have you looked into prepared statements?
[quote=341190:@Tim Parnell]Holy SQL injections batman!
Have you looked into prepared statements?[/quote]
On a desktop app? Also I sanitize the search text as well.
DaveS
(DaveS)
July 19, 2017, 9:55pm
6
uh… yes… no reason to limit where and how your apply good habits and techniques.
Does anyone know if we need more than just a replace all to remove single quotes here?
Just wondering what may go wrong otherwise.
[quote=341188:@Michael Eckert]Try this:
sql = “SELECT * FROM us WHERE " + searchmenu.text + " LIKE '%” + searchfield.text + “%’ ORDER BY zip”[/quote]
Michael,
You must have been posting when as I was, thanks it was the single quote.
I have restructured the query to prevent injections. Thanks everyone
[quote=341194:@Christian Schmitz]Does anyone know if we need more than just a replace all to remove single quotes here?
Just wondering what may go wrong otherwise.[/quote]
You can’t do that. If the user wants an apostrophe, you need to double up the single quotes. Better to use prepared statements just to be safe.