| Subject | Re: Query with data parameter IBExpress/Firebird |
|---|---|
| Author | Adam |
| Post date | 2006-04-03T11:15:59Z |
--- In firebird-support@yahoogroups.com, "d_dude_2003"
<d_dude_2003@...> wrote:
automatically convert particular strings to dates but of course there
is a difference between different regions.
Is it really a parameter? I suspect it is a string built at runtime.
If you are using one of the built-in date functions in Delphi then be
aware that these are dependent on the region settings on the machine.
This is bad:
qry.SQL.Text := 'select blah from table where somedate = ''' +
datetostr(dtp.Date) + '''';
qry.Open;
Why?
Well depending on how the region settings (in particular shortdate
format) are configured, you may get an error, or even worse, no error
but the data from the wrong date!
Secondly, you have to prepare the query each time it executes which is
a waste.
Thirdly, not so bad in this case but where you have a normal text edit
involved you open yourself up to a SQL injection attack.
This is good (and easier to read and maintain):
qry.SQL.Text := 'select blah from table where somedate = :somedate';
qry.ParamByName('somedate').Value := dtp.Date;
qry.Open;
Why?
It is region setting independent. The query plan can be re-used
because between each run you just change the parameter value. You are
immune from SQL injection attacks because these methods automatically
insert the escape quotes etc.
Adam
<d_dude_2003@...> wrote:
>A date in Firebird is internally stored as a number. Firebird will
> My customer reports that the query with date parameter always produce
> date format error (the error is being generated by FireBird engine). I
> never can reproduce it.
>
> Is there any date format settings?
automatically convert particular strings to dates but of course there
is a difference between different regions.
Is it really a parameter? I suspect it is a string built at runtime.
If you are using one of the built-in date functions in Delphi then be
aware that these are dependent on the region settings on the machine.
This is bad:
qry.SQL.Text := 'select blah from table where somedate = ''' +
datetostr(dtp.Date) + '''';
qry.Open;
Why?
Well depending on how the region settings (in particular shortdate
format) are configured, you may get an error, or even worse, no error
but the data from the wrong date!
Secondly, you have to prepare the query each time it executes which is
a waste.
Thirdly, not so bad in this case but where you have a normal text edit
involved you open yourself up to a SQL injection attack.
This is good (and easier to read and maintain):
qry.SQL.Text := 'select blah from table where somedate = :somedate';
qry.ParamByName('somedate').Value := dtp.Date;
qry.Open;
Why?
It is region setting independent. The query plan can be re-used
because between each run you just change the parameter value. You are
immune from SQL injection attacks because these methods automatically
insert the escape quotes etc.
Adam