What im trying to do now is search my database (CustomerDB.sqlite) and search the Table (Invoice) for what ever date is entered in Textfield1.
here is what i have. im getting no error. just not displaying it in the listbox.
This is my GetDeadlineDisplay Method.
[code]
Dim sql as string
Dim rs as RecordSet
DeadlineSearchWin.Listbox1.DeleteAllRows
sql = “SELECT * FROM Invoice WHERE Deadline =” + DeadlineSearchWin.TextField1.text
rs = mDB.SQLSelect(sql)
if rs <> nil then
While Not rs.EOF
DeadlineSearchWin.Listbox1.AddRow(rs.Field(“Department”).StringValue, rs.Field(“InvoiceNumber”).StringValue, rs.Field(“DateCreated”).StringValue)
rs.MoveNext
Wend
rs.close
end if[/code]
any ideas ? Examples ? Help ?
Thank you,
Travis McBride
Xojo-Experience Studio
Consider changing
sql = "SELECT * FROM Invoice WHERE Deadline =" + DeadlineSearchWin.TextField1.text
to
sql = "SELECT * FROM Invoice WHERE Deadline = '" + DeadlineSearchWin.TextField1.text + "'"
if Deadline is a a Text field.
First, refactor this code later to use a prepared statement instead. The way you’ve done it does not guard against SQL injections.
You haven’t checked mDB for an error after SQLSelect. Do that and see what, if anything, it tells you.
What I suggested may be a quick fix but as Kem pointed out, the code should be written quite differently in order for it to be safe and catch errors.
Here’s what that might look like:
Dim sql as string
Dim rs as RecordSet
DeadlineSearchWin.Listbox1.DeleteAllRows
sql = "SELECT * FROM Invoice WHERE Deadline = ?"
dim ps as PreparedSQLStatement = mDB.Prepare( sql )
ps.BindType( 0, SQLitePreparedStatement.SQLITE_TEXT )
rs = ps.SQLSelect( DeadlineSearchWin.TextField1.Text )
if mDB.Error then
// Deal with the error
elseif rs <> nil then
While Not rs.EOF
DeadlineSearchWin.Listbox1.AddRow(rs.Field("Department").StringValue, rs.Field("InvoiceNumber").StringValue, rs.Field("DateCreated").StringValue)
rs.MoveNext
Wend
rs.close
end if
Thank you all for the help!. Just a Quote mark mistake ! lol thank you so much. @Frederick Roller Your fix worked! and @Kem Tekinay does that secure it using your idea?
[quote=179167:@Frederick Roller]Consider changing
sql = "SELECT * FROM Invoice WHERE Deadline =" + DeadlineSearchWin.TextField1.text
to
sql = "SELECT * FROM Invoice WHERE Deadline = '" + DeadlineSearchWin.TextField1.text + "'"
if Deadline is a a Text field.[/quote]