How to pass NULL value from Unidac Query component in Delphi?

Question

When I am using StoredProc component in Delphi using ParamByname('ParamName').Clear I'm able to send NULL value.

But how can I pass NULL value when using a Query component?

with Query do
begin
 SQL.ADD('exec d_upd_calc'+Quoted(EditCalc.Text));
end

In the above scenario I want to send NULL if the edit box is blank.

I am using Delphi 2010, Unidac with Sybase.

Answer 1

Even in Queries you can work with parameters:

Query.SQL.Text := 'exec d_upd_calc :myparam';
Query.Prepare;
Query.ParamByName('myparam').Clear;

And it's better to use parameters than to build the complete string, because you must not handle quotes and avoid security leaks via SQL-injection.

Answer 2

With Advantage DB I would do something along these lines:

var
  sqlText: string;

with Query do
begin
  if EditCalc.Text = '' then
    sqlText := 'exec d_upd_calc NULL' else
    sqlText := 'exec d_upd_calc '+Quoted(EditCalc.Text);
  SQL.ADD(sqlText);
end;

If the keyword is also NULL then this should work.

Does Quoted remove/escape any dangerous user input to prevent SQL injection? If yes then it's good. If not then it should.