SQL查询在Access数据库中有效,但在Delphi 7中无效

时间:2017-05-17 17:10:53

标签: sql delphi

   procedure TformVet.sdaClick(Sender: TObject);
 var anID, anT, anN, anG, anSp, anSi, anDR, anDF, anPD, anTr, anO : String;
      anRID, anRT, anRN, anRG, anRSp, anRSi, anRDR, anRDF, anRPD, anRTr, anRO : String;
begin
  ShowMessage('If you are not searching for a specific group of data, leave the input field empty!');
  anID := InputBox('Animal ID','What is the ID of the Animal you are searching for?','');
  anT := InputBox('Animal Type','What is the type of Animal you are searching for?','');
  anN := InputBox('Animal Name','What is the name of the Animal you are searching for?','');
  anG := InputBox('Animal Genus','What is the genus of the Animal you are searching for?','');
  anSp := InputBox('Animal Species','What is the species of the Animal you are searching for?','');
  anSi := InputBox('Animal Sickness','What is the sickness of the Animal you are searching for?','');
  anDR := InputBox('Date Received','What is the date received of the Animal you are searching for?','');
  anDF := InputBox('Date Fetched','What is the date fetched of the Animal you are searching for?','');
  anPD := InputBox('Paid','What is the status of payment of the Animal''s treatment that you are searching for? (Yes/No)','');
  anTr := InputBox('Treatment','What is the cost of the treatment you are searching for?','');
  anO := InputBox('Owner ID','What is the ID of the Owner you are searching for?','');

  if getLen(anID) > 0 then
    anRID := '(AnimalID = ' + anID + ')'
  else
    anRID := '(AnimalID LIKE "*")';

  if getLen(anT) > 0 then
    anRT := '(anType = "' + anT + '")'
  else
    anRT := '(anType LIKE "*")';

  if getLen(anN) > 0 then
    anRN := '(anName = "' + anN + '")'
  else if getLen(anN) = 0 then
    anRN := '(anName LIKE "*")';

  if getLen(anG) > 0 then
    anRG := '(anGenus = "' + anG + '")'
  else
    anRG := '(anGenus LIKE "*")';

  if getLen(anSp) > 0 then
    anRSp := '(anSpecie = "' + anSp + '")'
  else
    anRSp := '(anSpecie LIKE "*")';

  if getLen(anSi) > 0 then
    anRSi := '(anSick = "' + anSi + '")'
  else
    anRSi := '(anSick LIKE "*")';

  if getLen(anDR) > 0 then
    anRDR := '(anDateRec = "' + anDr + '")'
  else
    anRDR := '(anDateRec LIKE "*")';

  if getLen(anDF) > 0 then
    anRDF := '(anDateFet = "' + anDf + '")'
  else
    anRDF := '(anDateFet LIKE "*")';

  i := 1;
  While i = 1 do
  begin
    if UpperCase(anPD) = 'YES' then
      begin
        anRPD := '(anPaid = "-1")';
        i := 0;
      end
    else if UpperCase(anPD) = 'NO' then
      begin
        anRPD := '(anPaid = "0")';
        i := 0;
      end
    else if getLen(anPD) = 0 then
      begin
        anRPD := '(anPaid LIKE "*")';
        i := 0;
      end
    else
      ShowMessage(anPD + ' is not a valid query!');
  end;

  if getLen(anTr) > 0 then
    anRTr := '(anTreat = ' + anTr + ')'
  else
    anRTr := '(anTreat LIKE "*")';

  if getLen(anO) > 0 then
    anRO := '(OwnerID = ' + anO + ')'
  else
    anRO := '(OwnerID LIKE "*")';

  SS := 'SELECT * FROM tblAnimal ';
  SS := SS + 'WHERE ' + anRT + ' AND ' + anRN + ' AND ' + anRT + ' AND ' + anRG + ' AND ' + anRSp + ' AND ' + anRSi + ' AND ' + anRDR + ' AND ' + anRDF + ' AND ' + anRPD + ' AND ' + anRTr + ' AND ' + anRO + ';';

  adoAnimal.Close;
  adoAnimal.SQL.Text := SS;
  adoAnimal.ExecSQL;
  adoAnimal.Open;
end;

这是我的搜索按钮的代码,它假设查找具有指定数据的记录,但它不起作用。在delphi中运行时的查询会返回,即使您没有输入任何数据也没有结果。

这是在没有输入数据时运行的SQL查询:

SELECT * FROM tblAnimal WHERE (anType LIKE "*") AND (anName LIKE "*") AND (anType LIKE "*") AND (anGenus LIKE "*") AND (anSpecie LIKE "*") AND (anSick LIKE "*") AND (anDateRec LIKE "*") AND (anDateFet LIKE "*") AND (anPaid LIKE "*") AND (anTreat LIKE "*") AND (OwnerID LIKE "*");

这是一个高中项目,任何帮助将非常感谢! `

1 个答案:

答案 0 :(得分:1)

不要使用doble引号来分隔字符串,而是使用简单的引号。单引号是引用字符串的标准SQL,您的Delphi组件可能期望它们。表示任何字符的标准通配符也是%,而不是*。

要在Delphi字符串中指定简单引号,您必须编写两个简单的引号:

 procedure TformVet.sdaClick(Sender: TObject);
 var anID, anT, anN, anG, anSp, anSi, anDR, anDF, anPD, anTr, anO : String;
      anRID, anRT, anRN, anRG, anRSp, anRSi, anRDR, anRDF, anRPD, anRTr, anRO : String;
begin
  ShowMessage('If you are not searching for a specific group of data, leave the input field empty!');
  anID := InputBox('Animal ID','What is the ID of the Animal you are searching for?','');
  anT := InputBox('Animal Type','What is the type of Animal you are searching for?','');
  anN := InputBox('Animal Name','What is the name of the Animal you are searching for?','');
  anG := InputBox('Animal Genus','What is the genus of the Animal you are searching for?','');
  anSp := InputBox('Animal Species','What is the species of the Animal you are searching for?','');
  anSi := InputBox('Animal Sickness','What is the sickness of the Animal you are searching for?','');
  anDR := InputBox('Date Received','What is the date received of the Animal you are searching for?','');
  anDF := InputBox('Date Fetched','What is the date fetched of the Animal you are searching for?','');
  anPD := InputBox('Paid','What is the status of payment of the Animal''s treatment that you are searching for? (Yes/No)','');
  anTr := InputBox('Treatment','What is the cost of the treatment you are searching for?','');
  anO := InputBox('Owner ID','What is the ID of the Owner you are searching for?','');

  if getLen(anID) > 0 then
    anRID := '(AnimalID = ' + anID + ')'
  else
    anRID := '(AnimalID LIKE ''%'')';

  if getLen(anT) > 0 then
    anRT := '(anType = ''' + anT + ''')'
  else
    anRT := '(anType LIKE ''%'')';

  if getLen(anN) > 0 then
    anRN := '(anName = ''' + anN + ''')'
  else if getLen(anN) = 0 then
    anRN := '(anName LIKE ''%'')';

  if getLen(anG) > 0 then
    anRG := '(anGenus = ''' + anG + ''')'
  else
    anRG := '(anGenus LIKE ''%'')';

  if getLen(anSp) > 0 then
    anRSp := '(anSpecie = ''' + anSp + ''')'
  else
    anRSp := '(anSpecie LIKE ''%'')';

  if getLen(anSi) > 0 then
    anRSi := '(anSick = ''' + anSi + ''')'
  else
    anRSi := '(anSick LIKE ''%'')';

  if getLen(anDR) > 0 then
    anRDR := '(anDateRec = ''' + anDr + ''')'
  else
    anRDR := '(anDateRec LIKE ''%'')';

  if getLen(anDF) > 0 then
    anRDF := '(anDateFet = ''' + anDf + ''')'
  else
    anRDF := '(anDateFet LIKE ''%'')';

  i := 1;
  While i = 1 do
  begin
    if UpperCase(anPD) = 'YES' then
      begin
        anRPD := '(anPaid = ''-1'')';
        i := 0;
      end
    else if UpperCase(anPD) = 'NO' then
      begin
        anRPD := '(anPaid = ''0'')';
        i := 0;
      end
    else if getLen(anPD) = 0 then
      begin
        anRPD := '(anPaid LIKE ''%'')';
        i := 0;
      end
    else
      ShowMessage(anPD + ' is not a valid query!');
  end;

  if getLen(anTr) > 0 then
    anRTr := '(anTreat = ' + anTr + ')'
  else
    anRTr := '(anTreat LIKE ''%'')';

  if getLen(anO) > 0 then
    anRO := '(OwnerID = ' + anO + ')'
  else
    anRO := '(OwnerID LIKE ''%'')';

  SS := 'SELECT * FROM tblAnimal ';
  SS := SS + 'WHERE ' + anRT + ' AND ' + anRN + ' AND ' + anRT + ' AND ' + anRG + ' AND ' + anRSp + ' AND ' + anRSi + ' AND ' + anRDR + ' AND ' + anRDF + ' AND ' + anRPD + ' AND ' + anRTr + ' AND ' + anRO + ';';

  adoAnimal.Close;
  adoAnimal.SQL.Text := SS;
  adoAnimal.ExecSQL;
  adoAnimal.Open;
end;

这不应该在真实环境中使用,因为它可以通过SQL注入进行攻击。但作为一个学校的工作,它可能很好(虽然你的老师会很高兴,如果你评论)。

阅读有关SQL注入的更多信息,在生产环境中不使用此类代码非常重要(而应使用参数):https://arstechnica.com/information-technology/2016/10/how-security-flaws-work-sql-injection/