At present in several parts of my applications I use the code:

 if (POS('SELECT', ' ' + aSQLStr) > 0) then

To test whether a SQL statement is a SELECT statement.

The above provides a very soft test to avoid SQL injection (ie random INSERT or UPDATE statements being passed into my code by accident.

However, many INSERT statements include SELECT ... so the above test is not actually good enough at any level.

How can I easily test that a SQL statement is just a SELECT statement? I can see there is a "StatementType" on TEDBQuery but it does not work as I expect the following code:

 EDBQuery1.SQL.Text:= 'UPDATE Customers SET (ID, Name) = SELECT (ID, Name) FROM NewCustomers';
 EDBQuery1.Prepare;
 if EDBQuery1.StatementType = stSELECT then
   Showmessage('its a select');
 if EDBQuery1.StatementType = stUPDATE then
   Showmessage('its a select');

Shows the message "its a select", when the statement is clearly UPDATE.

Am I using the "StatementType" property wrongly?

Is there a functional way to identify the type of an EDB Query?

Adam


Since I'm a "good boy" I've never tried it but I understand its possible to hide a nasty inside a select.

I think the only sort of foolproof way is to parse the sql  and make sure there's nothing malicious.

Roy Lambert

Adam,

You've got a duplicate message:

 if EDBQuery1.StatementType = stSELECT then
   Showmessage('its a select');
 if EDBQuery1.StatementType = stUPDATE then
   Showmessage('its a select');  <<< Should read 'it's an update'

Tim Young
Elevate Software
www.elevatesoft.com