Statement.executeQuery Method

Article
2014-04-11

Executes an SQL statement that returns an instance of the .

Syntax

public ResultSet executeQuery(str statement)

Run On

Called

Parameters

statement
Type: str
The string that contains the SQL statement that is used to retrieve the result set.

Return Value

Type: ResultSet Class
The object that contains the data returned from the query.

Remarks

If users control input to the executeQuery method, an SQL injection threat can occur. Therefore, this method runs under Code Access Security. Calls to this method on the server require permission from the . The following are safer alternatives for executing SQL statements:

Queries
Views
X++ select statements

Record level security is not enforced on the Statement class. If data is exposed to the user, perform explicit security validation.

Examples

The following example performs an SQL query on CustTable, which runs on the server. The result of the query is stored in the resultSet object.

server static void main(Args _args) 
{ 
    DictTable  dictTable; 
    Connection connection; 
    Statement  statement; 
    str        sql; 
    ResultSet  resultSet; 
    SqlStatementExecutePermission perm; 
  
    dictTable = new DictTable(tableNum(CustTable)); 
    if (dictTable != null) 
        { 
           connection = new Connection(); 
           sql = strfmt( "SELECT * FROM %1", dictTable.name(DbBackend::Sql) ); 
           perm = new SqlStatementExecutePermission(sql); 
           // Check for permission to use the statement. 
           perm.assert(); 
           statement = connection.createStatement(); 
           resultSet = statement.executeQuery(sql); 
           // End the scope of the assert call. 
           CodeAccessPermission::revertAssert(); 
        } 
}

Share via