...

View Full Version : Help with SQL select query



kbalona
05-15-2011, 01:16 PM
I have an query that I'm using to filter information retrieved from an SQL database.

SELECT InvUnique FROM Inventry WHERE Cat = '367'

I'm trying to further filter the information that is retrieved. The "Inventry" table also has a column called "Low". In addition to retrieving only records with "367" in the "Cat" column, I would like narrow it down ever further by filtering records that have a number 1 or higher entered in this column "Low" (anything except 0). I don't know how to do this in a SELECT statement.

oesxyl
05-15-2011, 03:23 PM
I have an query that I'm using to filter information retrieved from an SQL database.

SELECT InvUnique FROM Inventry WHERE Cat = '367'

I'm trying to further filter the information that is retrieved. The "Inventry" table also has a column called "Low". In addition to retrieving only records with "367" in the "Cat" column, I would like narrow it down ever further by filtering records that have a number 1 or higher entered in this column "Low" (anything except 0). I don't know how to do this in a SELECT statement.
something like this?


select InvUnique from Inventry where Cat = '367' and Low > 0

i assumed Low is a numeric field.

best regards

kbalona
05-15-2011, 10:30 PM
Thanks, that did the trick.

oesxyl
05-15-2011, 10:33 PM
Thanks, that did the trick.
you are welcome, :) if Cat is number is better to not use quote around the value.

best regards

bullant
05-16-2011, 02:52 AM
if Cat is number is better to not use quote around the value.


hmmm......is it really better?......some of the well respected sql gurus over at Sitepoint say numbers should be wrapped in quotes as well as part of an overall strategy combating sql injection attacks.

Perhaps you can explain how you think it is better.

oesxyl
05-16-2011, 03:00 AM
hmmm......is it really better?......some of the well respected sql gurus over at Sitepoint say numbers should be wrapped in quotes as well as part of an overall strategy combating sql injection attacks.

Perhaps you can explain how you think it is better.
maybe this is what you understand from what they said. Comparing string and numbers are different things and have nothing to do with sql injection.

best regards

bullant
05-16-2011, 03:21 AM
If the number is not wrapped in quotes then a malicious user could supply a string to do whatever. If the number is wrapped in quotes then the user inputed string becomes part of the string in the sql statement.

Of course you shouldn't rely on this as the main defence against sql injection because there are much better and more secure ways of combating sql injection, but if the database supports wrapping numbers in quotes I don't have an issue with anyone wrapping the numbers in quotes.

It boils down to personal choice unless you are dealing with a very large database in which performance might become an issue.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum