Please make protect against AddWhere
Posted: Wed 16 Jul 2008 09:44
Make please protection against using AddWhere if an TMSQuery SQL statement does not contain SELECT or add its processing for UPDATE|DELETE.
Because of its use we have incurred monstrous losses.
In code was used:
Q:=TMSQuery.Create(nil);
try
Q.Connection:=DM.PayConnect;
Q.SQL.Text:='UPDATE Invoices SET InvoiceState=GETDATE() ';
Q.AddWhere('FirmID='+IntToStr(FirmID);
...
. The code has been by mistake applied and all records were updated, because FinalSQL has no text 'WHERE FirmID=...'
Because of its use we have incurred monstrous losses.
In code was used:
Q:=TMSQuery.Create(nil);
try
Q.Connection:=DM.PayConnect;
Q.SQL.Text:='UPDATE Invoices SET InvoiceState=GETDATE() ';
Q.AddWhere('FirmID='+IntToStr(FirmID);
...
. The code has been by mistake applied and all records were updated, because FinalSQL has no text 'WHERE FirmID=...'