Hi group, I’m writing a SQL … I would like to understand if having spaces in the search query can give me problems and possibly how to solve it.
My sql:
sql= “SELECT * FROM " +TabellaDiAppartenenza+” WHERE …
Example:
TabellaDiAppartenenza=" La mia tabella bella"
It’s giving me an error right now, but I don’t know if it’s due to the spaces.
I guess you have to use underscore _ or at reserved names [ ] around.
Test your query in a db management tool.
What is the content of error message?
You can have spaces in your table name (SQLite), but when using the table name it must be surrounded by double-quotes.
sql = "SELECT * FROM """ + TabellaDiAppartenenza + """ WHERE …
FWIW I started using ‘prepared statements’ and it’s gotten rid of many frustrations with quotations and other formatting.
stmt = MySQLPreparedStatement(xPLN_dbase.Prepare("SELECT * FROM mydb.the_table_name WHERE RECORD_STATUS = ?;"))
stmt.BindType(0, MySQLPreparedStatement.MYSQL_TYPE_SHORT)
stmt.Bind(0, record_status)
Don’t try and put together SQL strings your self. You open your application up to SQL Injection.
Instead look at the ExecuteSQL method, which allows you to provide the outline of your SQL together with the data to include in it. It is far more secure and pretty easy to use.
Yes - that was one of my favourite improvements in API2 - safe against SQL injection without all the faff of preparing statements.
Indeed. That said, if you are going to call the same SQL repeatedly you should still use a prepared statement.
For example, if you are going to add a number of rows to a database:
It will be far faster than using multiple SQLExecutes as it only prepares the statement once, and I mean far far faster.
Thanks everyone for the advice, I don’t use SQLite, but MS Access. Anyway I will try to study your suggestions a little. Thanks again.
The advice goes for any SQL statements, not just SQLite.
Ok, perfect.
I will try.
Thanks