Add dynamic values in sql where clause, but its not working_问答_开发者

Add dynamic values in sql where clause, but its not working

开发者 https://www.devze.com 2023-02-18 14:53 出处：网络

I am trying to add month value from the drop down list into where clause but it\'s not working. If I select January month from the drop down list, then hello variable should contain that month.

相关专题：sql

I am trying to add month value from the drop down list into where clause but it's not working.

If I select January month from the drop down list, then hello variable should contain that month.

I am able to extract month and storing in hello variable but it's not working with the where clause. Any suggestions will be appreciated

function tree() {
    alert("abc");
    var shortName = 'EXPDB';  
    var version = '';  
    var displayN开发者_开发知识库ame = 'EXPENSE Database';  
    var maxSize = 2*1024*1024; //  bytes  
    EXPDB = window.openDatabase(shortName, version, displayName, maxSize);  
    EXPDB.transaction(
        function (transaction) {
            var hello= $('#mchoose').val();//Contains the month value from drop down list
            alert("Wass"+hello);
            transaction.executeSql("SELECT SUM(amount1) AS OrderTotal FROM budget1 WHERE month= "+hello+" ", [], dataSelectHandler, errorHandler)
        }
     );
 }

For non-numeric values, you must wrap the values in single quotes:

var mySQL = "SELECT SUM(amount1) AS OrderTotal FROM budget1 WHERE month='"+hello+"'";

transaction.executeSql(mySQL, [], dataSelectHandler, errorHandler);

For this to work, it assumes your month column is of datatype varchar!

It appears you're taking form values and executing right against the database. Be warned: this is opening you up to a huge SQL injection vulnerability.