0

I'd like to make a query insert:

INSERT INTO A_TABLE (BLOB_FIELD) VALUES(MY_BLOB_VAL)

but I have only string values in delphi for ex:

procedure INSERT_BLOB_QUERY
  var
    query:String;
    my_blob_val:String;
begin
   my_blob_val := 'a blob string to be inserted';
   query := 'INSERT INTO A_TABLE (BLOB_FIELD) VALUES(' + my_blob_val + ')';
   // to execute a query....
end;

The problem that occours is string to blob conversion.

So how to I insert a string in a interbase blob field???

Improve this question
10
  • 2
    Security alert :) - look up 'SQL injection' or read en.wikipedia.org/wiki/SQL_injection Commented Mar 20, 2011 at 17:33
  • 1
    @mjn: While I agree that SQL injection is something to worry about for a database accessible from the internet, what in the question makes you think okami's database is anywhere near being exposed to the internet? Most databases live a very well protected life behind firewalls, LAN access restrictions and domain security. And the code okami is showing may well be part of an otherwise very well protected n-tier solution. Commented Mar 20, 2011 at 19:21
  • 2
    Good practice is always good practice, web-connected or not: xkcd.com/327 Commented Mar 20, 2011 at 19:50
  • 1
    @Marjan what make you think SQL injection is not a risk when the database is accessed over a LAN (or behind a firewall) and not directly from the Internet? What kind of protection firewalls have about SQL injection? Commented Mar 21, 2011 at 15:33
  • 1
    @Marjan They would have other means, but why left the SQL injection door wide open?... from a security point of view you have to detect and close as much as possible any hole in the system. Commented Mar 22, 2011 at 16:52

1 Answer 1

Reset to default
6

Like this:

procedure INSERT_BLOB_QUERY;
begin
  query.SQL.Text := 'INSERT INTO A_TABLE (BLOB_FIELD) VALUES (:VAL)';
  query.ParamByName('VAL').AsString := 'a blob string to be inserted';
end;

Your code doesn't work because you're not passing the string as a parameter, you're passing it as part of the query. If you do that, you obviously need to QUOTE it: the way you're doing it Interbase will try to interpret it as SQL commands, not as a literal string to be inserted in a db column.

None the less, don't go for quoting. It's always better to use parameters, it's safer!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

one minor nitpick... query.SQL is a TStringList, and so you need to use query.SQL.Text instead. +1, though.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.