Others have answered your specific question...

But let me say that you are doing dynamic SQL without parameter markers.

You really don't want to do that if you can help it for two reasons:
1) Security (google "SQL Injection")
2) Performance

Generally speaking, with a variable table name you do have to use dynamic
sql. And if this is a tool for your own use, it's probably ok. But you
wouldn't want dynamic SQL being used by users.


On Tue, Sep 2, 2014 at 7:23 AM, Bill Howie <blhowie66@xxxxxxxxx> wrote:

Hello all,

Not sure if this really falls in the RPG group or not, but since there
isn't an SQL group I will put it here. I have a program whose concept is
to take 3 incoming parameters (file name, field name, and company number)
and load them into an embedded SQL statement and execute that statement.
Here is my code:

D File_Name S 10A
D Field_Name S 10A
D Company_Name S 2A
D Bogus_Field S 2A
D MySQLText S 300A varying
D Result S 100A varying

* Parameters:
* ~~~~~~~~~~~
C *Entry Plist
C Parm File_Name
C Parm Field_Name
C Parm Company_Name


MySQLText = 'Update ' + %Trim(File_Name) +
' Set ' + %Trim(Field_Name) +
' = ' + %Trim(Company_Name);

exec sql

exec sql prepare SQL_Stmt from MySQLText;
exec sql execute SQL_Stmt;

*inlr = *on;


Pretty basic. When it executes I get the following error:

Column or global variable MYSQLTEXT not found.
Prepared statement SQL_STMT not found.
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page