INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Jobs

SQL statements embedded in code?

SQL statements embedded in code?

(OP)
Hi all,

I've set up libraries that have SQL embedded in the Delphi code to handle modifying data in our main application database. The database is PowerFlex (or DataFlex) and while it supports views, it doesn't support things like stored procedures. So my libraries are set up as flexible core functions to do things like CreateTransaction, DeleteTransaction, etc. so that my programs never use SQL at all, and just use these high-level library functions.

But - that still leaves the SQL as strings in my code, and presumably in the final .exe, and from what I've read, this is bad. But nowhere have I found suggestion of a better way, aside from stored procedures.

What's the best practice here?

RE: SQL statements embedded in code?

I don't see why it would be bad.
The only thing you need to take into account is SQL injection (ie concatenating your statement with actual values).
A hard & fast rule is to always use parameters in code.

/Daddy

-----------------------------------------------------
Helping people is my job...

RE: SQL statements embedded in code?

Another option is to store the SQL commands with a SQLite database that is encrypted. Prying eyes won't be able to see the SQL and if you have to update the SQL you might be able to simply update the SQLite database vs recompiling.

I second Daddy's direction on using parameters where possible.

RE: SQL statements embedded in code?

(OP)
Parameters all the way, agreed.

I couldn't really understand why it's bad, although if I were distributing my apps to unknown persons, I'd take steps to encrypt like DjangMan suggests, but then I can't really think what an external app would be doing with SQL anyway. It's all server-side stuff.

Thanks for your thoughts. You've put my mind at ease.

RE: SQL statements embedded in code?

Quote:

but then I can't really think what an external app would be doing with SQL anyway. It's all server-side stuff.

The SQL statement is how you interact with the database. Send SQL statement, retrieve results. So anything that gets data out of the database, no matter where it is located, would require your app to ship the SQL to do it. So what you wrote is very true:

Quote:

that still leaves the SQL as strings in my code, and presumably in the final .exe

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Resources

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close