delphi – FDQuery what are the risks of using variable instead of Parameter

Question:

I'm making a connection to fetch data inside the database with an IN() condition, but I had difficulties implementing this between FDQuery and FireBird .

Analyzing the problem I noticed that SQL command was arriving at the database in a condition that was impossible to be executed, or was not even accepted by FDQuery . I tried several ways of dealing and they didn't work.

Then I appealed to what I consider as a POG, creating a String variable and inserting it in the middle of the SQL with the data properly treated so that it was received in the database in the way that FireBird can execute.

FDconsult.SQL.Add('SELECT * FROM PED1A WHERE ID_LOJA IN (');
FDconsult.SQL.Add(consulta);
FDconsult.SQL.Add(')');
FDconsult.Open;

What risks do I offer my application doing this type of POG?

Answer:

We use Firebird here too, and I assure you that there is no risk, because everything is a pure string that will only be processed later by the database.

FDconsult.SQL.Clear;{Dependendo do componente é ..SQL.SelectSql.Clear}
FDconsult.SQL.Add('SELECT * FROM PED1A WHERE ID_LOJA IN (' + consulta + ')');
FDconsult.Open;

It's the same thing. By parameter I think it's kind of difficult for you to use the IN , we used it only in the WHERE clause and we changed them all to pure string .

Remembering that if the ID_LOJA field is varchar, all consulta items must be enclosed in double quotes.

Scroll to Top