0

I was trying to prevent SQL injection in my Delphi application by securing user inputs using the following query:

procedure TForm1.Button1Click(Sender: TObject);
var userNameID : string;
begin
     userNameID := edit1.Text;
     with adoquery1 do
      begin
        sql.Clear;
        sql.Add('select * from users where id = :'''+userNameID+''';');
        Open;
      end;
end;

but it's not returning any results.

Can you tell me what's wrong in my code please?

Improve this question
2
  • 2
    It's much better to use parameters in your queries as opposed to strings. I think that the problem is the semicolon before the username. Commented Oct 6, 2018 at 4:37
  • 1
    SQL injection issues aside, the above code is probably not working because of the colon which should be removed Commented Oct 7, 2018 at 13:33

1 Answer 1

Reset to default
5

Your code doesn't do anything to prevent SQL injection, because you're still directly concatenating text to the query. Your SQL syntax is also invalid.

Something like this will work:

procedure TForm1.Button1Click(Sender: TObject);
begin
  AdoQuery1.SQL.Text := 'select * from users where id = :ID');
  AdoQuery1.Parameters.ParamByName('ID').AsString := edit1.Text;
  AdoQuery1.Open;
end;
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

@DJMixRhymez This is more than a "tip", this is the answer to your question. You should mark this as the accepted answer by clicking on the checkmark on the left.
sorry i'm new here, i still don't know how this website works, but thank you :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.