Identifier Too Long using EncodeSql

Identifier Too Long using EncodeSql

  
Hi,

I am getting the error "Identifier too long" when using EncodeSql in my parameter with Expand Inline = Yes. It is working when I don't use EncodeSql but this will pose security risk right? How do I mitigate this?


Thanks,
Gino
Hi gino,

Can you show us what you are trying to encode and the query?
I would not expect you to get an error, since the EncodeSql results are strings and those would not be "identifiers".


Regards,
João Rosado
João Rosado wrote:
Hi gino,

Can you show us what you are trying to encode and the query?
I would not expect you to get an error, since the EncodeSql results are strings and those would not be "identifiers".


Regards,
João Rosado
 
Hi Joao,

Thanks for the response. What I am getting now is the error: MISSING RIGHT PARENTHESIS. Here's my code:

SELECT {table}.[column]
  FROM {table}
 WHERE {Events}.[column] NOT IN @bookedEventKey

where the @bookedEventkey is a text with values such as "('1E2DD010551991B36DDDDD4E9E2DE002','AC947F58A0F7CD1BD5AB0B9038E2AF72') that I created using a function.

Maybe I am passing the parameter wrong? I am doing EncodeSql(bookedEventkey). Still confused how to use EncodeSql function.


Regards,
Gino
Hi Gino,

The problem there is that what you need to encode must be strings that are used in SQL. So what you need to encode are the strings like 1E2DD010551991B36DDDDD4E9E2DE002 before placing it there.

What the EncodeSql is used for is to remove "dangerous" characters from strings that will be used in Sql, preventing Sql Injection. So by passing to the function a string that has " ' " characters in it will make them encoded and your query would become:


SELECT {table}.[column]
  FROM {table}
 WHERE {Events}.[column] NOT IN (''1E2DD010551991B36DDDDD4E9E2DE002'',''AC947F58A0F7CD1BD5AB0B9038E2AF72'')

Regards,
João Rosado

João Rosado wrote:
Hi Gino,

The problem there is that what you need to encode must be strings that are used in SQL. So what you need to encode are the strings like 1E2DD010551991B36DDDDD4E9E2DE002 before placing it there.

What the EncodeSql is used for is to remove "dangerous" characters from strings that will be used in Sql, preventing Sql Injection. So by passing to the function a string that has " ' " characters in it will make them encoded and your query would become:


SELECT {table}.[column]
  FROM {table}
 WHERE {Events}.[column] NOT IN (''1E2DD010551991B36DDDDD4E9E2DE002'',''AC947F58A0F7CD1BD5AB0B9038E2AF72'')

Regards,
João Rosado
 
 Awesome. Thanks Joao!


Regards,
Gino