[Previous][Up] |
SQLDB implements parameterized queries, simulating them if the native SQL client does not support parameterized queries. A parameterized query means that the SQL statement contains placeholders for actual values. The following is a typical example:
SELECT * FROM MyTable WHERE (id=:id)
The :id is a parameter with the name id. It does not contain a value yet. The value of the parameter will be specified separately. In SQLDB this happens through the TParams collection, where each element of the collection is a named parameter, specified in the SQL statement. The value can be specified as follows:
Params.ParamByname('id').AsInteger:=123;
This will tell SQLDB that the parameter id is of type integer, and has value 123.
SQLDB uses parameters for 3 purposes:
An additional advantage of using parameters is that they help to avoid SQL injection: by specifying a parameter type and value, SQLDB will automatically check whether the value is of the correct type, and will apply proper quoting when the native engine does not support parameters directly.
|
Parameters detected in the SQL statement. |
|
|
Automatic generation of update SQL statements |