p2p.wrox.com Forums

Need to download code?

View our list of code downloads.


  Return to Index  

sql_language thread: Simple SQL question


Message #1 by "Barbara Ward" <bdward@r...> on Fri, 29 Mar 2002 19:31:11
As far as I can see there is no error in your statement. How are you
executing this, query analyzer or something else?
 To answer your bigger question of can your user enter multiple element
to query by can be answered in many ways. The answer is dependent on the
tools you are using. A simple way to "solve" this is to create dynamic
SQL statements from what the user entered by constructing a string of
the SQL and passing it to the database. The biggest problem with this
approach is that you must parse every thing the user typed to make sure
that they did not embed SQL commands in their input like this "r0;delete
from route". The thing to notice is the embedded semicolon, the SQL
parser will see this and assume it is a new command, compile it and
execute it, and all of your route data will be deleted. This is a simple
example of things you need to watch out for, there are many articles on
the WEB about this subject with solutions suggested. You could try the
'SQLServerCentral.com' site or search for "SWYNK" in GOOGLE. Another way
to do this is to present the user with a list with checkboxes or allow
them to highlight the ones they want. This has the advantage of assuring
that your user will not have to remember the routes correctly nor type
the correctly. Let the computer remember not the user, it does it
better.

> -----Original Message-----
> From: Barbara Ward [mailto:bdward@r...]
> Sent: Friday, March 29, 2002 7:31 PM
> To: sql language
> Subject: [sql_language] Simple SQL question
> 
> Hi,
> 
> I am a 'newbie'....I have a simple question.
> 
> I have a 'routes' table that contains many route Names. The customer
> wants to be able to fill in a form and type in many route name's (from
1
> to 20 different routes depending on an ever changing situation).
> 
> I want to be able to produce a list of routes that meet all their
criteria
> so I'm just using a select statement similar to this (in this case the
> customer only wants two routes R08-45 and Route B08-15):
> 
> SELECT * FROM [Routes] WHERE Route_Name = 'R08-45' OR Route_Name 
'B08-
> 15' ORDER BY [Route_Name]DESC
> 
> 
> I get a Syntax error (missing operator) in query expression.
> 
> Can I not specify two different criteria of Route_Name? or what is
wrong
> with my syntax?  Route_Name is not the key field.
> 
> help!?
> 
> Barb
> to unsubscribe send a blank email to leave-sql_language-
> 792625D@p...



  Return to Index