By this I mean it is possible to see (via Msgbox for example) exactly what the Prepared Statement looks like once the bindings are completed?
SQL="SELECT * from table where a=? and b=? and c=?"
would like to see something like
The app is creating a much more complex PS, and I just want to be sure I’m getting all the right pieces in the right place…
Others might know more, but I don’t think that’s a thing you can do, even in pure SQL.
You might want to look at my SQLBuilder which will let you attach values directly to their placeholders and include conditional WHERE statements.
Nope because it doesnt neccesarily turn it into a sql statement that is sent
Thats not how these things work
We pass to the vendors client library an address (more or less) saying “get the data from here with this type and this length”
What they do with it in their SDK is up to them but I doubt they turn it into a sql statement since that would mean they too would be vulnerable to nicely crafted sql injection attacks
At least the vendor SDK’s I’ve worked with that do this certainly dont do that
ok… thought as much…
I will just view the SQL statement, along with the parameters indiviudally then…
May or may not help, but using
EXPLAIN may return the full SQL statement as well as broken down analysis depending on the database you’re using.
It is now a two-step update. The first step passes up the prepared statement construct without the data. The second step sends up the data and says use that construct I previously sent. This way it is slower, but more secure.