That sounds like sql injection waiting to happen. I would think sanitizing a parameter and running a pre-defined sql statement would be safer. I guess it depends on the environment.
-----Original Message-----
From: midrange-l-bounces@xxxxxxxxxxxx [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Roger Harman
Sent: Thursday, March 05, 2009 2:26 PM
To: 'midrange-l@xxxxxxxxxxxx'
Subject: Re: SQL Issue in CL Pgm
Build the command string separately and pass that as the parm
dcl &cmdstr *char 256 (or whatever)
cghvar &cmdstr (concatenate your command here)
strqsh cmd(&cmdstr)
vlittlepp@xxxxxxxxx 03/05/2009 1:41:30 PM >>>
Hi
Would anyone help me on how to pass a *variable *in *Set* when I try to do *SQL
Update* in a CL program, the detailed as:
I need to set the date in myfile, when I did the following it works
fine:
STRQSH CMD('DB2 "UPDATE MYFILE SET +
MYDATE = "0305" WHERE MYDATE = '' '' "')
But IF the Date is the input parameter of this CL program, it will NOT
update:
PGM PARM(&PPDATE)
DCL VAR(&PPDATE) TYPE(*CHAR) LEN(04)
STRQSH CMD('DB2 "UPDATE MYFILE SET +
MYDATE = *CAT &PPDATE *CAT WHERE MYDATE = '' '' "')
Would anybody helps... thanks a lot!
J
--
This is the RPG programming on the IBM i / System i (RPG400-L) mailing list To post a message email: RPG400-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/rpg400-l
or email: RPG400-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives at
http://archive.midrange.com/rpg400-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe, or change list options,
visit:
http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a moment to review the archives at
http://archive.midrange.com/midrange-l.
midrange.com
