tags:

views:

116

answers:

3
+1  Q: 

SQLite Delphi thowing up incorrect exception.

Project CompetitionServer.exe raised exception class ESQLiteException with message 'Error executing SQL.
Error [1]: SQL error or missing database.
"INSERT INTO MatchesTable(MatchesID,RoundID,AkaFirstName,AoFirstName)VALUES(1,2,p,o)": no such column: p'. Process stopped. Use Step or Run to continue.

Yes, p is NOT a column, it is the data I am trying to insert. How can I fix this problem?

+2  A: 

You value 'p' is a constant, so you need to put it in quotes. So the statement needs to be

INSERT INTO MatchesTable(MatchesID,RoundID,AkaFirstName,AoFirstName)VALUES(1,2,'p','o')
Rob McDonell  2010-04-29 01:51:15
+3  A: 

In SQL, string constants that are data must be enclosed in quotes. Otherwise the string is interpreted as a keyword, table name, or column name, which is what's happening here. Use 'p' instead of plain p.

Larry Lustig  2010-04-29 01:55:17
And 'o' instead of plain o.
mghie  2010-04-29 03:53:49
SQLite doesnt force a column you declare to be Integer to actual hold only integer values, I somehow took that to mean that I could input string data without quotes as if it could be an integer which was obviously flawwed. Thanks.
NeoNMD  2010-04-29 22:17:42
+2  A: 

You have to use SQL parameters. The standard Delphi approach to that:

Query1.SQL.Text := 'INSERT INTO MatchesTable(MatchesID,RoundID,AkaFirstName,AoFirstName)VALUES(1,2,:p,:o)';
Query1.Params[0].Value := ...;
Query1.Params[1].Value := ...;
Query1.ExecSQL;

But details may depend on the data access components you are using.

da-soft  2010-04-29 03:40:29
OP doesn't *have* to use parameters, but it surely is a better idea than building the SQL statement by concatenating SQL snippets and data entered by the user - that way lie injection attacks. I will assume his statement *is* built at runtime.
mghie  2010-04-29 03:56:53
Injection is only one issue. Few others - values formating and performance. So, although NeoNMD does not have to use parameters, but it is a good practice, which must be a DB programmer rule.
da-soft  2010-04-29 05:38:27
I am using a delphi SQLite wrapper which I do not believe has the functionality you sat above.All SQL is ran as string statements using something along these lines:TSqlDatabase.ExecSQL(SQL:String);So it just directly tries to run strings you pass it.Also there is no risk of injection as all the data is generated by the system. At no point does it take user inputs.This is however my first attempt at actually using a database in a program and so will look into that for any further projects.
NeoNMD  2010-04-29 22:19:56

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP