| || |
Executing wild character in SQL query using QTP
I m executing sql query using QTP. In one query where I 've wild character in sql query
Ex: select * from employe where emp_name like '%john%'
In this query i m passing string john with the variable name(staff). (Ex:qtp code: Rs.open " select * from employee where emp_name like '%&staff&%'",Con)
when I execute this query I couldn't able to fetch the records.Is there anything which I need to modify my search string.
Thanks for the replies.
You're missing closing/opening double quotes around the part where you append the staff variable. Probably easier to break it out as a string variable first.
queryString = "select * from employee where emp_name like '%" & staff & "%'"
The 3rd thing any engineer learns in Database class is always used prepared statements in parameterized SQL queries.
Executing Prepared Statements
The problem with appending strings is it makes the query super vulnerable to SQL injection, and 2nd order SQL injection. It's best to let the framework handle all the escaping for you.
Coincidentally, it's a good way to tell if the Backend or DB Engineer has any formal DB training. You'll usually see a lot of issues with slow queries and sql injection in code that doesn't use prepared statements or ORM.
Last edited by dlai; 12-17-2013 at 09:10 AM.
Thank you for the help..It solved the issue..Surely I 'll implement prepared statements in my code.