I would suggest to simply change it to an insert statement.
Exec SQL
Insert into file (col1, col2, col3)
Values(:myval1, :myval2, :myval3);
You do not need to worry about sql injection with this statement in SQLRPG(LE).
-----Original Message-----
From: rpg400-l-bounces@xxxxxxxxxxxx [mailto:rpg400-l-bounces@xxxxxxxxxxxx] On Behalf Of Pete Helgren
Sent: Wednesday, November 16, 2011 11:26 AM
To: RPG programming on the IBM i / System i
Subject: Re: AW: Perplexing compile error RNF7418 - embedded SQL
Thanks Birgitta (I was hoping you'd weigh in...)
Working your questions backward:
1. BTW why to use dynamic SQL at all? Answer: I am probably doing it wrong! I usually use prepared statements with parameter markers to avoid SQL injection vulnerabilities. So perhaps I am going about it the wrong way in RPG. What do you suggest?
2. What happens if you move execute immediately after exec SQL?
You mean, like so?:
exec sql execute s1 using :employee, :punchdate, :punchtime, :punch; Then I get the same error
3. Is one of the host variables passed to the program with constant reference?
No. But you forced me to look *carefully* at my code and I discovered the error! The host variable :punch was the problem because I originally had a variable named 'punch' and then discovered that the sub procedure I created ALSO had the name 'punch' so I had changed the variable name but had not changed the SQL. Thus the :punch host variable actually pointed to the sub procedure name, which of course couldn't be used as a host variable (at least, it isn't 'variable'). I would have discovered the error more quickly had the compiler error been something like: RNFXXXX: "Sub procedure name not allowed as host variable" (which would have been helpful).
In any case, THANKS, you pointed me to look at the code with a more careful eye (a good nights sleep helped as well...)
Pete Helgren
Value Added Software, Inc
www.petesworkshop.com
GIAC Secure Software Programmer-Java
On 11/16/2011 3:13 AM, Birgitta Hauser wrote:
I'm not sure why you get a compile error, but the syntax of your SQL
INSERT statement is not correct!
The correct syntax is:
Insert into MyTable (Col1, Col2, ... ColN) Values (?, ?, ...?)
BTW it is not the SQL precompiler, but the RPG compiler that sends the
message.
Is one of the host variables passed to the program with constant reference?
What happens if you move execute immediately after exec SQL?
BTW why to use dynamic SQL at all?
Mit freundlichen Grüßen / Best regards
Birgitta Hauser
--
This is the RPG programming on the IBM i / System i (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/rpg400-l.
________________________________
Notice from Bob Evans Farms, Inc: This e-mail message, including any attachments, may contain confidential information that is intended only for the person or entity to which it is addressed. Any unauthorized review, use, disclosure or distribution is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message and any attachments.
midrange.com
