I am writing an SQL query as a Javascript string like that:
SQLdetail = 'SELECT [Avis SAP], Avis.[Ordre SAP], [Date Appel], [Heur Appel], Client_List![Code Client], [Numero Passerelle], [Designation Appel], Ordre![Metier], Ordre!Repercussion, Ordre!Objet, Ordre![Profil Panne], Ordre!Cause, Ordre![Sommaire Correctif], Ordre![Statut]'
SQLdetail += ' FROM (Avis'
SQLdetail += ' LEFT JOIN Client_List ON Avis.[Numero Client] = Client_List.[Numero Client])'
SQLdetail += ' LEFT JOIN Ordre ON Avis.[Ordre SAP] = Ordre.[Ordre SAP] WHERE Avis.[Date Appel] BETWEEN #' & DateOne & '# AND #' & DateTwo & '#;'
alert('SQLdetail:' + SQLdetail)
and the last SQLdetail += somehow returns "0". Am I missing something in the syntax that just turns the whole string to a 0?
I am writing an SQL query as a Javascript string like that:
SQLdetail = 'SELECT [Avis SAP], Avis.[Ordre SAP], [Date Appel], [Heur Appel], Client_List![Code Client], [Numero Passerelle], [Designation Appel], Ordre![Metier], Ordre!Repercussion, Ordre!Objet, Ordre![Profil Panne], Ordre!Cause, Ordre![Sommaire Correctif], Ordre![Statut]'
SQLdetail += ' FROM (Avis'
SQLdetail += ' LEFT JOIN Client_List ON Avis.[Numero Client] = Client_List.[Numero Client])'
SQLdetail += ' LEFT JOIN Ordre ON Avis.[Ordre SAP] = Ordre.[Ordre SAP] WHERE Avis.[Date Appel] BETWEEN #' & DateOne & '# AND #' & DateTwo & '#;'
alert('SQLdetail:' + SQLdetail)
and the last SQLdetail += somehow returns "0". Am I missing something in the syntax that just turns the whole string to a 0?
- What is in variables DateOne and DateTwo? Is it a string? If not you many want to convert to a string. – John Hartsock Commented Nov 14, 2011 at 17:42
-
2
I hope you won't be using JS to generate SQL which is sent to a server to be executed, otherwise I hope you'll enjoy mean users hacking the script to send
DROP DATABASE database();– Marc B Commented Nov 14, 2011 at 17:43 - Why are you constructing SQL with javascript? This should be done server side. – jrummell Commented Nov 14, 2011 at 17:43
-
2
I have a question! What do you want to do with your
SQLin JavaScript? – Abdul Munim Commented Nov 14, 2011 at 17:45 - ok ppl relax, its an internal web app I have no choice but to use client side and access 2003... – sebastien leblanc Commented Nov 14, 2011 at 17:57
5 Answers
Reset to default 2You're mixing with VB syntax. In JavaScript you must concatenate string with +
SQLdetail += ' LEFT JOIN Ordre ON Avis.[Ordre SAP] = Ordre.[Ordre SAP] WHERE Avis.[Date Appel] BETWEEN #' + DateOne + '# AND #' + DateTwo + '#;'
What are with the &? : BETWEEN #' & DateOne & '# AND #' & DateTwo & '#;'
Change to a +
If this is Javascript you need to use + instead of & here:
SQLdetail += ' LEFT JOIN Ordre ON Avis.[Ordre SAP] = Ordre.[Ordre SAP] WHERE Avis.[Date Appel] BETWEEN #' & DateOne & '# AND #' & DateTwo & '#;'
You are using a bitwise operator in your code:
& DateTwo &
This doesn't join strings. Use a +:
+ DateTwo +
Other than that, why in the world are you generating your SQL with JavaScript???
The only way you can send it to your server is through the browser, which means that I have total control over the request.
Basically, you are giving me root privileges to your database. I'm nice and won't abuse it, but I can only speak for myself.
You are using & to concatenate instead of +