Variable In SQL String
-
I am trying to insert a variable in a SQL string but am not having any success in finding the proper sytax. I am coding in C++. Listed below is code section I am trying to figure out. This code is part of an ADO routine that adds a field in an Access Database.
char Value[40];
printf("Input A String");
scanf("%s",Value);
sSQLCommand = L"ALTER TABLE TableIn ADD @Value nvarchar(20)";
com->CommandText = sSQLCommand;Unfortunately what gets added to the database as a field is @Value.
-
I am trying to insert a variable in a SQL string but am not having any success in finding the proper sytax. I am coding in C++. Listed below is code section I am trying to figure out. This code is part of an ADO routine that adds a field in an Access Database.
char Value[40];
printf("Input A String");
scanf("%s",Value);
sSQLCommand = L"ALTER TABLE TableIn ADD @Value nvarchar(20)";
com->CommandText = sSQLCommand;Unfortunately what gets added to the database as a field is @Value.
wchar_t sqlCommand[1024];
wsprintf(sqlCommand, L"ALTER TABLE TableIn ADD %s nvarchar(20)", Value);«_Superman_» _I love work. It gives me something to do between weekends.
-
wchar_t sqlCommand[1024];
wsprintf(sqlCommand, L"ALTER TABLE TableIn ADD %s nvarchar(20)", Value);«_Superman_» _I love work. It gives me something to do between weekends.
Superman, Excellent! You pointed me in the right direction. After some modifications, the following code works:
char sSQLCommand[100];
char TempField[50];
printf("Input Field");
scanf("%s",TempField);
sprintf_s(sSQLCommand,"ALTER TABLE TableIn ADD %s nvarchar(20)",TempField); -
Superman, Excellent! You pointed me in the right direction. After some modifications, the following code works:
char sSQLCommand[100];
char TempField[50];
printf("Input Field");
scanf("%s",TempField);
sprintf_s(sSQLCommand,"ALTER TABLE TableIn ADD %s nvarchar(20)",TempField); -
I am trying to insert a variable in a SQL string but am not having any success in finding the proper sytax. I am coding in C++. Listed below is code section I am trying to figure out. This code is part of an ADO routine that adds a field in an Access Database.
char Value[40];
printf("Input A String");
scanf("%s",Value);
sSQLCommand = L"ALTER TABLE TableIn ADD @Value nvarchar(20)";
com->CommandText = sSQLCommand;Unfortunately what gets added to the database as a field is @Value.
You should avoid this coding style as it may lead to some serious problems. Google SQL Injection, you yourself will understand.