CCH4UNIGUI Posted March 3, 2021 Share Posted March 3, 2021 I have a simple login form created via Uniform Form wizard unit login; interface uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, uniGUITypes, uniGUIAbstractClasses, uniGUIClasses, uniGUIRegClasses, uniGUIForm, uniButton, uniPanel, uniEdit, uniGUIBaseClasses, uniLabel; type TUniLoginForm1 = class(TUniLoginForm) UniLabel1: TUniLabel; UserNameUniEdit: TUniEdit; UniLabel2: TUniLabel; UniEdit2: TUniEdit; UniPanel1: TUniPanel; OKUniBtn: TUniButton; CancelUniBtn: TUniButton; procedure CancelUniBtnClick(Sender: TObject); procedure OKUniBtnClick(Sender: TObject); private { Private declarations } public { Public declarations } cUserName:string; end; function UniLoginForm1: TUniLoginForm1; implementation {$R *.dfm} uses uniGUIVars, MainModule, uniGUIApplication, Unit1; function UniLoginForm1: TUniLoginForm1; begin Result := TUniLoginForm1(UniMainModule.GetFormInstance(TUniLoginForm1)); end; procedure TUniLoginForm1.CancelUniBtnClick(Sender: TObject); begin ModalResult := mrCancel; end; procedure TUniLoginForm1.OKUniBtnClick(Sender: TObject); begin cUsername:=trim(UserNameUniEdit.Text); showmessage(cUsername); // ModalResult := mrOK; end; initialization RegisterAppFormClass(TUniLoginForm1); cUserName, declared public = employee id unit MainModule; interface uses uniGUIMainModule, SysUtils, Classes, Data.DB, Data.Win.ADODB; type TUniMainModule = class(TUniGUIMainModule) PlanOTTable: TADODataSet; PlanotDS: TDataSource; BaldatTable: TADODataSet; HrmcodepTable: TADODataSet; TmsdataTable: TADODataSet; LeavedatTable: TADODataSet; HrmdatTable: TADODataSet; EmployeeTable: TADODataSet; ADOConnection1: TADOConnection; HrmcodepDS: TDataSource; TmsdataDS: TDataSource; BaldatDS: TDataSource; LeavedatDS: TDataSource; HrmdatDS: TDataSource; EmployeeDS: TDataSource; procedure UniGUIMainModuleCreate(Sender: TObject); private { Private declarations } public { Public declarations } cUserName:string; end; function UniMainModule: TUniMainModule; implementation {$R *.dfm} uses UniGUIVars, ServerModule, uniGUIApplication, login; function UniMainModule: TUniMainModule; begin Result := TUniMainModule(UniApplication.UniMainModule) end; procedure TUniMainModule.UniGUIMainModuleCreate(Sender: TObject); begin // // cUserName seems to be empty EmployeeTable.CommandText:='select * from employee WHERE ID='''+ cUserName+'''' ; EmployeeTable.CommandText:='select * from employee WHERE ID='''+ '8180'+'''' ; EmployeeTable.Active:=True; end; initialization RegisterMainModuleClass(TUniMainModule); end. Please note cUserName=8180 cUsername:=trim(UserNameUniEdit.Text); BUT this commandtext dont't work EmployeeTable.CommandText:='select * from employee WHERE ID='''+ cUserName+'''' ; don't work at all, no data shown But, it hardcode '8180' as in:- EmployeeTable.CommandText:='select * from employee WHERE ID='''+ '8180'+'''' ; WORKS perfectly Can anyone assist ? TQ Link to comment Share on other sites More sharing options...
epos4u Posted March 3, 2021 Share Posted March 3, 2021 maybe you need to use QuotedStr() function EmployeeTable.CommandText:='select * from employee WHERE ID='+ QuotedStr(cUserName) ; Link to comment Share on other sites More sharing options...
Pep Posted March 3, 2021 Share Posted March 3, 2021 Hi, You should not use string concatenation in SQL command to prevent against SQL injection hacking. https://stackoverflow.com/questions/6000648/delphi-prevent-against-sql-injection Link to comment Share on other sites More sharing options...
Ron Posted March 3, 2021 Share Posted March 3, 2021 Why quote the ID, as it is probably an integer? If this works: EmployeeTable.CommandText:='select * from employee WHERE ID=8180'; then this works: EmployeeTable.CommandText:='select * from employee WHERE ID='+ cUserName; Link to comment Share on other sites More sharing options...
CCH4UNIGUI Posted March 4, 2021 Author Share Posted March 4, 2021 9 hours ago, Ron said: Why quote the ID, as it is probably an integer? If this works: EmployeeTable.CommandText:='select * from employee WHERE ID=8180'; then this works: EmployeeTable.CommandText:='select * from employee WHERE ID='+ cUserName; Hi Ron Your suggestion can compile but the Employeetable is not opened at all 😞 Link to comment Share on other sites More sharing options...
CCH4UNIGUI Posted March 4, 2021 Author Share Posted March 4, 2021 11 hours ago, epos4u said: maybe you need to use QuotedStr() function 11 hours ago, epos4u said: maybe you need to use QuotedStr() function EmployeeTable.CommandText:='select * from employee WHERE ID='+ QuotedStr(cUserName) ; EmployeeTable.CommandText:='select * from employee WHERE ID='+ QuotedStr(cUserName) ; Hi epos4u Can compile but have same effect as EmployeeTable.CommandText:='select * from employee WHERE ID='''+ cUserName+'''' ; ie EmployeeTable opens but no data shown. Beginning to suspect the value of cUserName is not 8180 though 8180 is input Can compile but have the same effect as Thanks for the speedy response. Link to comment Share on other sites More sharing options...
epos4u Posted March 4, 2021 Share Posted March 4, 2021 are you sure your ID is string, seems like Integer, check your data structure is ID integer or string error might be here { Public declarations } cUserName:string; Link to comment Share on other sites More sharing options...
CCH4UNIGUI Posted March 4, 2021 Author Share Posted March 4, 2021 1 hour ago, epos4u said: are you sure your ID is string, seems like Integer, check your data structure is ID integer or string error might be here { Public declarations } cUserName:string; Hi U are right, id is integer. But cUsername:=trim(UserNameUniEdit.Text); Link to comment Share on other sites More sharing options...
epos4u Posted March 4, 2021 Share Posted March 4, 2021 then change cUsername or use cUsernameID as integer cUsernameID := StrToIntDef(trim(UserNameUniEdit.Text), 0); then EmployeeTable.CommandText:='select * from employee WHERE ID='+ cUserNameID ; will work Link to comment Share on other sites More sharing options...
CCH4UNIGUI Posted March 4, 2021 Author Share Posted March 4, 2021 23 minutes ago, epos4u said: then change cUsername or use cUsernameID as integer cUsernameID := StrToIntDef(trim(UserNameUniEdit.Text), 0); then EmployeeTable.CommandText:='select * from employee WHERE ID='+ cUserNameID ; will work public { Public declarations } cUserName:string; cUserNameID:integer; cUsernameID:=StrToIntDef(trim(UserNameUniEdit.Text),0) ; <compile ok> EmployeeTable.CommandText:='select * from employee WHERE ID='+cUsernameID ; <D10.3.3 complains incompatible types 'string ' and 'integer'> Link to comment Share on other sites More sharing options...
epos4u Posted March 4, 2021 Share Posted March 4, 2021 sorry my bad, was half asleep cUserName:string; cUserName:=trim(UserNameUniEdit.Text) EmployeeTable.CommandText:='select * from employee WHERE ID='+cUserName ; you only need quotedtsr() function if ID is string Link to comment Share on other sites More sharing options...
CCH4UNIGUI Posted March 4, 2021 Author Share Posted March 4, 2021 56 minutes ago, epos4u said: sorry my bad, was half asleep cUserName:string; cUserName:=trim(UserNameUniEdit.Text) EmployeeTable.CommandText:='select * from employee WHERE ID='+cUserName ; you only need quotedtsr() function if ID is string There is nothing wrong with your suggested SQL syntax, I have identified the problem. The basic problem is that cUserName:=trim(UserNameUniEdit.Text) in the UniLoginForm , though declared as public is NEVER passed to Main.pass Link to comment Share on other sites More sharing options...
Recommended Posts
Please sign in to comment
You will be able to leave a comment after signing in
Sign In Now