I'm attempting to use advanced filter builder, and I have it working in my application but I cannot find a way to resolve the SQL injection warnings related to Expand inline property. Is there something I'm missing on this?
Hi Josh,
Have you already tried to use EncodeSQL() function to secure values in your expression?
André Siébra wrote:
I'm pretty new to this, do I add EncodeSQL() in the advanced SQL query? For example, at the end of the Advanced SQL query it has @AdvanceFilter so I would add EncodeSQL(@AdvanceFilter) there?
Josh Herron wrote:
You just need to encode the values coming from the server that compunds the filter, not the filter at all.
exc.: "MYCOLUMN = " + EncodeSQL(VariableFromServer) + " AND 1 = 1"
I think I follow... just need to debug and step through and figure out exactly which function is setting those values.