Cicode Programming Reference > Cicode Function Categories > SQL Functions > SQLAppend

SQLAppend

Appends a query string to the SQL buffer. Cicode cannot send an SQL query that is longer than 255 characters. If you have an SQL query that is longer than the 255 character limit, you can split the query into smaller strings, and use this function to append the query in the SQL buffer.

This function can be called in the foreground or background.

Queries which are built on the basis of user data, for example inputed by users via graphics pages or forms, may be prone to SQL Injection attacks. In such case, try to limit the risk by using CiCode functions from parameterized queries group and refer to a professional advice in this matter.

NOTICE

SECURITY BREACH VIA SQL INJECTION

- Validate all textbox entries using validation controls, regular expressions and code
- Use parameterized SQL or stored procedures
- Use a limited access account to connect to the database

Failure to follow these instructions can result in equipment damage.

Building queries from pieces (SQLSet, SQLAppend) or adding parameters to either queries or connections (SQLParam functions) requires a few calls to respective CiCode functions. If a few functions try to manipulate the same connection in the same time some conflicts and unintended operations may occur. It is a typical multithreading problem.

To avoid this, instead of manipulating connections, consider using locally created and locally disposed queries. For example:

int function SAFE_SQL_CICODE_MULTITHREAD_USE()
  //locally created query
  int hStmt = SQLQueryCreate(hConnection);

  //Set the query
  SQLSet(hStmt, "select * from TAB where NAME=@Name");

  //Add parameters to the query
  SQLParamsSetAsString(hStmt, "Name", "Aaa");

  //Execute the query
  SQLGetRecordset(hStmt, "");

  //the locally created query is disposed
  SQLQueryDispose(hStmt);
End

Syntax

SQLAppend(hGeneral, String)

hGeneral:

The handle either to the DB connection object (returned from either SQLCreate() or SQLConnect() function) or to the query handle (returned from SQLQueryCreate()). When it is the connection handle, the operation is performed on the default query in that DB connection object. When it is the query handle, the operation is performed on that query through the DB object which is associated to it.

String:

The query string to append to the SQL buffer.

Return Value

0 (zero) if successful, otherwise an error number is returned. (For details of the 307 error code, call the SQLErrMsg function).

Related Functions

SQLSet, SQLBeginTran, SQLCommit, SQLConnect, SQLDisconnect, SQLEnd, SQLErrMsg

Example

See SQLSet

See Also

SQL Functions

Published June 2018