Advanced SQL with a list of varchar values for the 'IN'

Advanced SQL with a list of varchar values for the 'IN'

  

Hi All,

I am currently trying to create an Advanced SQL statement which require a list of string values to be pass as an parameter to feed the 'IN', I was able to achieved it, but I can't encodeSQL the parameter to prevent SQL injection as the list of value will contains single quote 'value1','value2','value3'.  Does anyone have any way to use encodeSQL within the query?

Solution

Hi Anthony,

I would say that what you want is to encode every single value (value1, valule2, and so on). In that case when you append a value to your string, you append it using EncodeSQL function (e.g. EncodeSQL(<string from list>) )

This way your whole string will be properly sanitized.

Cheers,

José

Solution

José Costa wrote:

Hi Anthony,

I would say that what you want is to encode every single value (value1, valule2, and so on). In that case when you append a value to your string, you append it using EncodeSQL function (e.g. EncodeSQL(<string from list>) )

This way your whole string will be properly sanitized.

Cheers,

José

Hi Jose,

That's great, but how do I removed the SQL injection warning that is showing in TrueChange?  I want to make sure my other teammate wouldn't be trying to correct it as they saw the warning showing.


Hi Anthony,

I don't think that is possible.

You can hide the warning or better yet you can add a comment near the SQL statement detailing that you are using a text that is not properly sanitized in there because it is already sanitized somewhere else.

Cheers,

José

José Costa wrote:

Hi Anthony,

I don't think that is possible.

You can hide the warning or better yet you can add a comment near the SQL statement detailing that you are using a text that is not properly sanitized in there because it is already sanitized somewhere else.

Cheers,

José

Yeah, I did both.  Thanks for your quick reply.