At 12:08 PM 8/17/99 +0200, Martijn Pieters wrote:
At 04:38 17/08/99 , Evan Simpson wrote:
UPDATE "addressbook" SET "email" = '<!--#var email sql_quote-->' WHERE "name" = <!--#sqlvar name type=string-->
Wow, don't confuse poor Bradford, who has been hassled enough I am sure, with erroneous code as well!
Above line should read:
UPDATE addressbook SET email = <!--#var email sql_quote--> WHERE name = <!--#sqlvar name=name type=string-->
because sql_quote will add the quotes for you, you don't have to do this yourself, and 'name' is not only the name of the variable you want to insert, but also the name of an attribute of the sqlvar tag.
I'm afraid you're BOTH wrong. It's: UPDATE addressbook SET email = '<!--#var email sql_quote-->' WHERE name = <!--#sqlvar name=name type=string--> or: UPDATE addressbook SET email = '<!--#var email sql_quote-->' WHERE name = '<!--#var name sql_quote-->' 'sql_quote' doesn't add quotes; it only escapes embedded quotes.