MIDRANGE dot COM Mailing List Archive



Home » MIDRANGE-L » September 2014

Re: Embedded SQL question



fixed

Others have answered your specific question...

But let me say that you are doing dynamic SQL without parameter markers.

You really don't want to do that if you can help it for two reasons:
1) Security (google "SQL Injection")
2) Performance

Generally speaking, with a variable table name you do have to use dynamic
sql. And if this is a tool for your own use, it's probably ok. But you
wouldn't want dynamic SQL being used by users.

Charles



On Tue, Sep 2, 2014 at 7:23 AM, Bill Howie <blhowie66@xxxxxxxxx> wrote:

Hello all,

Not sure if this really falls in the RPG group or not, but since there
isn't an SQL group I will put it here. I have a program whose concept is
to take 3 incoming parameters (file name, field name, and company number)
and load them into an embedded SQL statement and execute that statement.
Here is my code:

D File_Name S 10A
D Field_Name S 10A
D Company_Name S 2A
D Bogus_Field S 2A
D MySQLText S 300A varying
D Result S 100A varying

* Parameters:
* ~~~~~~~~~~~
*
C *Entry Plist
C Parm File_Name
C Parm Field_Name
C Parm Company_Name

/free


MySQLText = 'Update ' + %Trim(File_Name) +
' Set ' + %Trim(Field_Name) +
' = ' + %Trim(Company_Name);

exec sql
SET OPTION
commit=*none,
datfmt=*iso;


exec sql prepare SQL_Stmt from MySQLText;
exec sql execute SQL_Stmt;

*inlr = *on;

/end-free

Pretty basic. When it executes I get the following error:

Column or global variable MYSQLTEXT not found.
Prepared statement SQL_STMT not found.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.







Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2014 by MIDRANGE dot COM and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available here. If you have questions about this, please contact