So, as apparently many before me have, i am entering the “it’s time to use prepared statements” era. Right now I have put together an SQL select statemet where the GUI uses a mix of segmented controls and one text field.
In the code below, the rating = ‘BB’ and Main.number LIKE ‘5.%’ and made using the segmented controls, no there is no danger of invalid or malicious user input there (if i understand correctly) but the Main.text LIKE ‘%180%’ is user input.
SELECT * FROM Main WHERE rating = 'BB' AND upper( Main.number LIKE '5.%') AND upper(Main.text LIKE '%180%')
So, my question is, can I make a prepared statement where everything is “as is” and only use the preparedstatment for the …text LIKE part?
SELECT * FROM Main WHERE rating = 'BB' AND upper( Main.number LIKE '5.%') AND upper(Main.text LIKE ?)
Or do I need to make a complete prepared statement like this (I guess):
SELECT * FROM Main WHERE rating = ? AND upper( Main.number LIKE ?) AND upper(Main.text LIKE ?)
Just trying to get started on the right track.
Also, I’m guessing, since no-one ever seems to explicitly point this out that binding just goes in chronological order first “bind” to the first “?”