Argument must be single variable or literal

barry.marcus · Post by **barry.marcus** » Fri Jul 13, 2007 4:21 pm

Why doesn't this work:

<$tabName="PATN_TEST">
<$Query="SELECT DISTINCT PATN_ISD FROM $tabName WHERE PATN_ISD > '20051231' ORDER BY PATN_ISD">

I get the error message "Argument must be single variable or literal"

Thanks.

Post by **jason112** » Fri Jul 13, 2007 4:49 pm

you need to double escape dollar signs to get them in string constants.

<$Query="SELECT DISTINCT PATN_ISD FROM $$tabName WHERE PATN_ISD > '20051231' ORDER BY PATN_ISD">

This will put "FROM $tabName WHERE" in Query, which <SQL> will correctly parameterize.

barry.marcus · Post by **barry.marcus** » Fri Jul 13, 2007 5:00 pm

But that makes the query "SELECT DISTINCT PATN_ISD FROM $tabName WHERE PATN_ISD > '20051231' ORDER BY PATN_ISD" when it is sent to texis. I want it to be:

SELECT DISTINCT PATN_ISD FROM PATN_TEST WHERE PATN_ISD > '20051231' ORDER BY PATN_ISD

barry.marcus · Post by **barry.marcus** » Fri Jul 13, 2007 5:08 pm

Sorry. I see what you mean. Thanks, I think that worked.

Post by **jason112** » Fri Jul 13, 2007 5:34 pm

Yeah I didn't notice $tabName is the name of the table (you'd think the variable name would've tipped me off X-| )

For that strfmt will insert the actual value:

<strfmt "SELECT DISTINCT PATN_ISD FROM %s WHERE PATN_ISD > '20051231' ORDER BY PATN_ISD" $tabName><$Query=$ret>

Post by **mark** » Fri Jul 13, 2007 5:39 pm

SQL INJECTION WARNING!

Make sure "tabName" is not coming from the user via form input or similar. If it is they can change it to something that will change the meaning of your SQL. If it's based on user input (even if it's "hidden" on the form) it should be sanitized before use in SQL.