Editing and Updating SQLite Recordset

I had all the same questions when I first started with iOS James. You’re not alone. :slight_smile:

Thanks Jason. I appreciate everyones’ patience with me.

BTW, the parameters do not have to appear in order in your statement. This is perfectly valid, if it makes more sense to do it this way:

"UPDATE table SET fld1 = ?2, fld2 = ?3 WHERE id = ?1"

[quote=179265:@James Redway]Okay, now I get it. … Finally :slight_smile: Sorry to be so stupid about this. I just did not know where the ?1, ?2 came from and if they had to be declared somewhere else in the app. I will work on this and see what happens.

Thanks so much Jon, Norman and Jason. I really appreciate your help.

Thanks again.[/quote]

No problem. Those are part of the SQL syntax.

See this: http://www.w3schools.com/sql/sql_injection.asp

Now, those examples show the parameters as @1, @2, etc. That may be SQL syntax vs. SQLite syntax. I’m not sure. Or maybe they are interchangeable…

Thanks Kem and Jon. I will take another look at that link

Yeah dont just concatenate a string unless you have NO user input in it
It’s causing yourself a security issue you dont need to have

It does.
In fact EVERY sqlexecute is via a prepared statement - unlike the old framework you don’t have to create one first.
SQLexecute takes a “statement” + optional parameters that are substituted in for the markers in the statement ( the ? )
Its a nice shorthand to create a prepared statement, bind the values & execute it in one line
See http://developer.xojo.com/sqlitedatabase$SQLExecute