Icon View Thread

The following is the text of the current message along with any replies.
Messages 1 to 10 of 23 total
Thread ExecSQL in ewb
Mon, Jun 29 2015 1:51 PMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi All,

Is it possible to use execsql (or how to use similar command) to delete
some rows from dbisam dataset?

Dataset query could be something like:

delete from orders
where ordernumber={ordernumber=1000}

Regards,
Hüseyin A.
Tue, Jun 30 2015 4:00 AMPermanent Link

Matthew Jones

Hüseyin Aliz wrote:

> Is it possible to use execsql (or how to use similar command) to
> delete some rows from dbisam dataset?
>
> Dataset query could be something like:
>
> delete from orders
> where ordernumber={ordernumber=1000}


When I didn't know anything about the EWB server system and the
database operation, I figured it would be a horrible security issue if
the web browser client could issue SQL to run against the database.
What would stop anyone hacking my code to do a DROP TABLE * ?
Fortunately, Tim had been there, done the thinking, and provided the
solution - all the queries are "canned" and so you cannot do anything
that was not set up in advance, and with permissions, nothing you
aren't supposed to even if DROP TABLE is in a preset.

The key of course is to pass in a parameter for that ordernumber value,
and the preset query you create should work. I'll confess though I've
never used this aspect myself, as my servers use an API that handles
the SQL for me, rather than being direct CRUD applications. I hope
though that this points the way for you.


--

Matthew Jones
Tue, Jun 30 2015 5:12 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Matthew,

Thanks for your reply.

The exact code i am using are:

 Database.StartTransaction;
  try
   with SletDetail do begin
   Params.Clear;

Params.Add('Ordrenr='+inttostr(Nyordre.columns['Maksordrenr'].asInteger
+ 1));
   Database.Loadrows(SletDetail);
  end;
  Database.Commit;
  except
  Database.Rollback;
  raise;
  end;

But it does not work and fails with "Error creating table handle" and I
also tried to replace Database.Loadrows(SletDetail); with Open; but
nothing happens - no error messages, no deletion of rows..

Regards,
Hüseyin


Den 30-06-2015 kl. 10:00 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> Is it possible to use execsql (or how to use similar command) to
>> delete some rows from dbisam dataset?
>>
>> Dataset query could be something like:
>>
>> delete from orders
>> where ordernumber={ordernumber=1000}
>
>
> When I didn't know anything about the EWB server system and the
> database operation, I figured it would be a horrible security issue if
> the web browser client could issue SQL to run against the database.
> What would stop anyone hacking my code to do a DROP TABLE * ?
> Fortunately, Tim had been there, done the thinking, and provided the
> solution - all the queries are "canned" and so you cannot do anything
> that was not set up in advance, and with permissions, nothing you
> aren't supposed to even if DROP TABLE is in a preset.
>
> The key of course is to pass in a parameter for that ordernumber value,
> and the preset query you create should work. I'll confess though I've
> never used this aspect myself, as my servers use an API that handles
> the SQL for me, rather than being direct CRUD applications. I hope
> though that this points the way for you.
>
>
Tue, Jun 30 2015 5:18 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Matthew,

Thanks for your reply.

The exact code i am using are:

Database.StartTransaction;
try
with SletDetail do begin
Params.Clear;
Params.Add('Ordrenr='+inttostr(Nyordre.columns['Maksordrenr'].asInteger
+ 1));
Database.Loadrows(SletDetail);
end;
Database.Commit;
except
Database.Rollback;
raise;
end;

It shows an error "Error creating table handle" but deletes rows from
the table. I also tried to replace Database.Loadrows(SletDetail); with
Open; but nothing happens - no error messages, no deletion of rows..

Regards,
Hüseyin

Den 30-06-2015 kl. 10:00 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> Is it possible to use execsql (or how to use similar command) to
>> delete some rows from dbisam dataset?
>>
>> Dataset query could be something like:
>>
>> delete from orders
>> where ordernumber={ordernumber=1000}
>
>
> When I didn't know anything about the EWB server system and the
> database operation, I figured it would be a horrible security issue if
> the web browser client could issue SQL to run against the database.
> What would stop anyone hacking my code to do a DROP TABLE * ?
> Fortunately, Tim had been there, done the thinking, and provided the
> solution - all the queries are "canned" and so you cannot do anything
> that was not set up in advance, and with permissions, nothing you
> aren't supposed to even if DROP TABLE is in a preset.
>
> The key of course is to pass in a parameter for that ordernumber value,
> and the preset query you create should work. I'll confess though I've
> never used this aspect myself, as my servers use an API that handles
> the SQL for me, rather than being direct CRUD applications. I hope
> though that this points the way for you.
>
>
Tue, Jun 30 2015 5:20 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Matthew,

Thanks for your reply.

The exact code i am using are:

Database.StartTransaction;
try
with SletDetail do begin
Params.Clear;
Params.Add('Ordrenr='+inttostr(Nyordre.columns['Maksordrenr'].asInteger
+ 1));
Database.Loadrows(SletDetail);
end;
Database.Commit;
except
Database.Rollback;
raise;
end;

It shows an error "Error creating table handle" but deletes rows from
the table. I also tried to replace Database.Loadrows(SletDetail); with
Open; but nothing happens - no error messages, no deletion of rows..

Regards,
Hüseyin

Den 30-06-2015 kl. 10:00 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> Is it possible to use execsql (or how to use similar command) to
>> delete some rows from dbisam dataset?
>>
>> Dataset query could be something like:
>>
>> delete from orders
>> where ordernumber={ordernumber=1000}
>
>
> When I didn't know anything about the EWB server system and the
> database operation, I figured it would be a horrible security issue if
> the web browser client could issue SQL to run against the database.
> What would stop anyone hacking my code to do a DROP TABLE * ?
> Fortunately, Tim had been there, done the thinking, and provided the
> solution - all the queries are "canned" and so you cannot do anything
> that was not set up in advance, and with permissions, nothing you
> aren't supposed to even if DROP TABLE is in a preset.
>
> The key of course is to pass in a parameter for that ordernumber value,
> and the preset query you create should work. I'll confess though I've
> never used this aspect myself, as my servers use an API that handles
> the SQL for me, rather than being direct CRUD applications. I hope
> though that this points the way for you.
>
>
Tue, Jun 30 2015 5:28 AMPermanent Link

Matthew Jones

Hüseyin Aliz wrote:

> The exact code i am using are:

I can't help further I'm sorry - I'm not sure where that code would be
- in your Web application I presume? I'd want to know what the SQL on
the server was like too. Also, is this EWB version 1 or version 2?

But a scan of the EWB v1 help doesn't have any sort of ExecSQL that I'd
expect for a delete type operation. Perhaps Tim will come by with
useful info.

--

Matthew Jones
Tue, Jun 30 2015 5:37 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Matthew,

Thanks anyway. It's ewb2. SQL defined in dataset exists both in ide and
also webserver datasets (if this was what you have asked for) Smile

Regards,
Hüseyin

Den 30-06-2015 kl. 11:28 skrev Matthew Jones:
> Hüseyin Aliz wrote:
>
>> The exact code i am using are:
>
> I can't help further I'm sorry - I'm not sure where that code would be
> - in your Web application I presume? I'd want to know what the SQL on
> the server was like too. Also, is this EWB version 1 or version 2?
>
> But a scan of the EWB v1 help doesn't have any sort of ExecSQL that I'd
> expect for a delete type operation. Perhaps Tim will come by with
> useful info.
>
Tue, Jun 30 2015 5:46 AMPermanent Link

Uli Becker

Hüseyin,

> Thanks anyway. It's ewb2. SQL defined in dataset exists both in ide and
> also webserver datasets (if this was what you have asked for) Smile

I don't think you can use something like ExecSQL with datasets in EWB,
but you can use a module that reacts to an additional parameter e.g.

Uli
Tue, Jun 30 2015 6:00 AMPermanent Link

Huseyin Aliz

myBiss ApS

Avatar

Hi Uli,

Thanks for your input Smile

I am a beginner yet, and unfortunately i dont know much about using
modules with ewb, so if you can share a little sample code it could be
very nice Smile

Regards,
Hüseyin


Den 30-06-2015 kl. 11:46 skrev Uli Becker:
> Hüseyin,
>
>> Thanks anyway. It's ewb2. SQL defined in dataset exists both in ide and
>> also webserver datasets (if this was what you have asked for) Smile
>
> I don't think you can use something like ExecSQL with datasets in EWB,
> but you can use a module that reacts to an additional parameter e.g.
>
> Uli
>
Tue, Jun 30 2015 7:12 AMPermanent Link

Uli Becker

Hüseyin,

> I am a beginner yet, and unfortunately i dont know much about using
> modules with ewb, so if you can share a little sample code it could be
> very nice Smile

I just posted one of my modules in the Binaries Newsgroup (Sample Module
for Michale Saunders), hopefully that will help you.

Uli
Page 1 of 3Next Page
Jump to Page:  1 2 3
Image