[fpc-pascal] Sqldb - How to pass an array of values as a param to be used with SQL IN operator?

Luiz Americo Pereira Camara luizamericop at gmail.com
Sun Apr 10 20:57:12 CEST 2016

2016-04-10 15:39 GMT-03:00 Stephen Chrzanowski <pontiac76 at gmail.com>:

> Due to the nature of the bind mechanism, you won't be able to do it this
> way.  The only way you'll be able to do that is with your program doing
> string substitution instead of doing the bind.  Since you're dealing with
> integers only, you'll just need to make sure that every entry you're
> substituting for is actually an integer.
I'm afraid is really not possible. Some months ago i searched for a delphi
solution and the proposed is the same as yours.

I hoped that would exist some solution in fpc side.

As a workaround, I just implemented pre processing the SQL with a regular
expression to detect param binding inside in expression and replace the
binding with the string without the quotes before passing to the query.

The remaining issue is that open doors for SQL injection attacks.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freepascal.org/pipermail/fpc-pascal/attachments/20160410/a8f58b42/attachment.html>

More information about the fpc-pascal mailing list