Dynamic where condition on sql query
Question

Hi Team,

I am passing dynamic input to advance query as I mentioned in below Pic, while passing it I am receiving sql injection error since the input parameter expand inline is enabled,  so to fix this warnings, can any one show me the some demo online.

Thanks 

Balaji

document16150.PDF

Hi Balaji,

you forgot to attach the pic. However you can start by reading this article to understand the reasons and way of doing it correctly to avoid the risk of sql injection.

https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way

Regards

Can you see the attachment now jose

No. You can paste the image directly to this textbox.

Hi Balaji,

this is basically the same question as your previous post.  

You marked it as solved, but now I get the feeling maybe our answers there were not clear or detailed enough ?

If you are building it without any free form input from the user, then you can safely ignore the sql injection warning, if not, you'll have to make changes, like for example splitting your input into safe and unsafe part, and only expand inline on the safe part.

Can you share maybe some more information about your datamodel, and about how you are building the input string to the where clause.  Ideally you share an oml.  

Another tip for you (if you're on windows machine) : use snip and sketch tool to make screen images, that's much more readable then making picutres with your phone, like you seem to be doing now.

So a few things that I can see already from your photo :

* you are not using correct syntax : it should be {entity}.[attribute]

* you are comparing deal type to a literal string, preferably, your deal type is a reference to a static entity, and you can then let user choose value from static entity dropdown for example, and compare database value to selected value, no more need to hardcode values in your sql

* probably a similar remark about milestoneID, it's a bit odd to compare an ID to a literal string value

If your share more about what you are trying to achieve, we can build you an example sql to show what we mean.

Dorine

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.