|
|
Discuss
>
Etcetera
|
|
|
User
|
aleone
|
|
Date
|
7/29/2007 11:53 am
|
|
Views
|
1614
|
|
Rating
|
1
Rate [ | ]
|
|
|
Previous
·
Next
|
aleone
|
Date: 7/29/2007 11:53 am · Subject: SQL Reports and Single quotes · Rating: 1
Hello I am trying to build a query that will return a list of names, based on flexible input (ie, a user may only put a state name, or a last name, or combinations thereof). It all works EXCEPT for quotes included in last names (O'Keefe, for example). If I escape the single quote in the form (o\'keefe), the query works. Of course, this is not acceptable for users. SO, i tried the /\Quote Macro, but that did not work. I notice that there is a caveat that the Quote Macro cannot be nested "if the quoted string contains commas or unescaped quotes". Pardon me, but isn't that kind of the point -- ie, to escape those characters where needed? So, how can I allow for the input of names with apostrophes?? I have included the admittedly complicated query below. The complication is what allows for flexible input. thanks,
aleone
SELECT id, firstName, lastName, city, state, zip, country
FROM people
WHERE
^If('^FormParam(id);' eq '',
^If('^FormParam(firstname);' ne '',
firstName LIKE '%^FormParam(firstname);%' AND); ^If('^FormParam(lastname);' ne '',
lastName LIKE '%^FormParam(lastname);%' AND);
^If('^FormParam(country);' ne '',
country LIKE '^FormParam(country);',
^If('^FormParam(state);' ne '', state LIKE '^FormParam(state);',state LIKE '%'););,
id = '^FormParam(id);');
ORDER BY city, state, lastName, firstName
--- (Edited on 7/29/2007 11:53 am [GMT-0500] by aleone) ---
|
| Back to Top |
Rate [ | ]
|
| |
knowmad
|
Date: 7/30/2007 8:49 am · Subject: Re: SQL Reports and Single quotes · Rating: 5
You should be using placeholders instead of directly putting the form parameter input into your sql statements. Placeholders will take care of the quoting for you plus prevent possible SQL injection which you've opened yourself up to by taking input straight from the browser. The hover help gives you hints on how to use them. In your SQL, you will replace the FormParam macros with ?. Good luck,
William
--- (Edited on 7/30/2007 9:49 am [GMT-0400] by knowmad) ---
|
| Back to Top |
Rate [ | ]
|
| |
aleone
|
Date: 7/30/2007 9:59 am · Subject: Re: SQL Reports and Single quotes · Rating: -3
Thank you, knowmad, but i am still having trouble. I defined a placeholder parameter 'form:lastname" and simply substituted the FormParam macro for lastname. Here: SELECT id, firstName, lastName, city, state, zip, country
FROM people
WHERE
^If('^FormParam(id);' eq '', ^If('^FormParam(firstname);' ne '',
firstName LIKE '%^FormParam(firstname);%' AND); ^If('^FormParam(lastname);' ne '',
lastName = ? AND);
^If('^FormParam(country);' ne '',
country LIKE '^FormParam(country);',
^If('^FormParam(state);' ne '', state LIKE '^FormParam(state);',state LIKE '%'););,
id = '^FormParam(id);');
ORDER BY city, state, lastName, firstName I still get the same SQL syntax error due to the apostrophe in the last name when i try "o'keefe". Moreover, i get no return set at all if i leave the last name form param blank (eg, i pick a state instead). Is this because placeholders don't allow null values? I appreciate any help. Thanks, aleone
--- (Edited on 7/30/2007 9:59 am [GMT-0500] by aleone) ---
|
| Back to Top |
Rate [ | ]
|
| |
knowmad
|
Date: 7/30/2007 11:32 am · Subject: Re: SQL Reports and Single quotes · Rating: 7
^If('^FormParam(lastname);' ne '', lastName = ? AND); Why did you get rid of the LIKE comparison? Your statement will require the user to type in the last name exactly. Try the following instead: lastName LIKE concat('%',?,'%') I still get the same SQL syntax error due to the apostrophe in the last name when i try "o'keefe". Moreover, i get no return set at all if i leave the last name form param blank (eg, i pick a state instead). Is this because placeholders don't allow null values? You may be getting a null return set because the last name in the database is capitalized and your sql specified an exact match (I think MySQL is case sensitive). Can you post the SQL syntax error you get? William
--- (Edited on 7/30/2007 12:32 pm [GMT-0400] by knowmad) ---
|
| Back to Top |
Rate [ | ]
|
| |
aleone
|
Date: 7/30/2007 12:18 pm · Subject: Re: SQL Reports and Single quotes · Rating: 11
Thanks for the feedback, knowmad. Yes, i know that I changed the LIKE clause and knew its implications. I was attempting some debugging. Using the Concatenation function seems to include the question mark, despite the fact that the IF branch is not followed. Here is the code: SELECT id, firstName, lastName, city, state, zip, country
FROM people
WHERE
^If('^FormParam(id);' eq '', ^If('^FormParam(firstname);' ne '',
firstName LIKE '%^FormParam(firstname);%' AND); ^If('^FormParam(lastname);' ne '',
lastName LIKE concat('%',?,'%') AND);
^If('^FormParam(country);' ne '',
country LIKE '^FormParam(country);',
^If('^FormParam(state);' ne '', state LIKE '^FormParam(state);',state LIKE '%'););,
id = '^FormParam(id);');
ORDER BY city, state, lastName, firstName Running this with no input (should return all rows) yields: (Note the '?' after the WHERE) - Debug: Query:SELECT id, firstName, lastName, city, state, zip, country FROM people WHERE ? state LIKE '%' ORDER BY city, state, lastName, firstName
- Debug: Processed Placeholder parameters:
- Debug: Error: There was a problem with the query. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'state LIKE '%' ORDER BY city, state, lastName, firstName' at line 12
Changing the SQL to an equality test: ...
^If('^FormParam(lastname);' ne '',
lastName = ? AND);
... With no input yields no records (should be all), but a seemingly good SQL query: - Debug: Query:SELECT id, firstName, lastName, city, state, zip, country FROM people WHERE state LIKE '%' ORDER BY city, state, lastName, firstName
- Debug: Processed Placeholder parameters:
If i try passing a last name into this, i get: Debug: Query:SELECT id, firstName, lastName, city, state, zip, country FROM people WHERE If Macro failed: Bad name after Keefe' at (eval 3138) line 1. Expression: 'O'Keefe' ne ''
Display if true: lastName = ? AND
Display if false: state LIKE '%' ORDER BY city, state, lastName, firstName Debug: Processed Placeholder parameters:O'Keefe Debug: Error: There was a problem with the query. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' If Macro failed: Bad name after Keefe' at (eval 3138) line 1. Expr' at line 8 That's a lot of stuff. Thanks for assisting. --- (Edited on 7/30/2007 12:18 pm [GMT-0500] by aleone) ---
--- (Edited on 7/30/2007 12:19 pm [GMT-0500] by aleone) ---
|
| Back to Top |
Rate [ | ]
|
| |
knowmad
|
Date: 7/30/2007 1:09 pm · Subject: Re: SQL Reports and Single quotes · Rating: -5
OK, so it appears that there is a problem with macro processing and placeholders. I'd suggest reporting a bug if you want to see that behavior fixed. You may be able to get your example to work by using double quotes for the lhs (lefthand-side) value in the comparison inside the If() macro. That would allow single quotes inside. Nevertheless, you'd still have the security risk of SQL Injections. Here's how we do these types of expressions using placeholders. SELECT firstname, lastname, location, photo
FROM students
WHERE lastname LIKE (
SELECT CASE WHEN ? = ''
THEN '%%'
ELSE concat('%',TRIM(?),'%')
END)
AND students.__archived = 0
AND students.__deleted = 0
ORDER BY students.lastname;
In this case, the placeholders would be: form:lastname
form:lastname
HTH,
William
--- (Edited on 7/30/2007 2:09 pm [GMT-0400] by knowmad) ---
|
| Back to Top |
Rate [ | ]
|
| |
aleone
|
Date: 7/31/2007 12:16 pm · Subject: Re: SQL Reports and Single quotes · Rating: -6
knowmad, I really appreciate your help. I am considering other workarounds. It is nice to know that i am not missing something glaringly obvious. Thanks again, aleone
--- (Edited on 7/31/2007 12:16 pm [GMT-0500] by aleone) ---
|
| Back to Top |
Rate [ | ]
|
| |
knowmad
|
Date: 8/1/2007 12:24 am · Subject: Re: SQL Reports and Single quotes · Rating: 9
knowmad, I really appreciate your help. I am considering other workarounds. It is nice to know that i am not missing something glaringly obvious.
You're welcome. Just be sure that whatever workaround you use, you get rid of the FormParam macros in your SQL. You're asking for trouble (and setting a bad example for others). Let us know what you end up doing (unless it uses the macro  ). William
--- (Edited on 8/1/2007 1:24 am [GMT-0400] by knowmad) ---
|
| Back to Top |
Rate [ | ]
|
| |
|
|
Recent Discussions Color Key |
| Design: |
|
| Development: |
|
| Et Cetera: |
|
| Install/Upgrade: |
|
| Smoketest: |
|
| Template Group: |
|
Re: Übersetzungen vor dem nächsten Treffen - Translations to be done before the next meeting will take place. by koen - Mon @ 05:17pm Übersetzungen vor dem nächsten Treffen by bernd - Mon @ 03:09pm Re: Synopsis search results by knowmad - Mon @ 10:19am Synopsis search results by marieken - Mon @ 05:49am
|
