Creating sql statement for data set securely [message #668017] |
Tue, 03 May 2011 12:11 |
|
I am trying to create the data set for a report. The way I am doing it is by string concatenation and then just doing dsHandle.setQueryText(query). I've been looking on any how-to's for a secure way of doing this. There will be a variable number of or statements in the where clause so I need some flexibility. For eg. "select * from table where ( name = ? or name = ? or ... ) and time between ( ? and ?)". Any help is greatly appreciated. To give you a better understanding of what I am doing, I have a .rptdesign file that already has a datasource and I'm just opening that .rptdesign file, modifying the data set and then running the report with the new sql query.
|
|
|
Re: Creating sql statement for data set securely [message #668098 is a reply to message #668017] |
Tue, 03 May 2011 17:48 |
|
Are you using session values to fill in the parameters?
Jason
On 5/3/2011 8:11 AM, azuniga wrote:
> I am trying to create the data set for a report. The way I am doing it
> is by string concatenation and then just doing
> dsHandle.setQueryText(query). I've been looking on any how-to's for a
> secure way of doing this. There will be a variable number of or
> statements in the where clause so I need some flexibility. For eg.
> "select * from table where ( name = ? or name = ? or ... ) and time
> between ( ? and ?)". Any help is greatly appreciated. To give you a
> better understanding of what I am doing, I have a .rptdesign file that
> already has a datasource and I'm just opening that .rptdesign file,
> modifying the data set and then running the report with the new sql query.
|
|
|
Re: Creating sql statement for data set securely [message #668235 is a reply to message #668098] |
Wed, 04 May 2011 15:41 |
|
No, I'm not using session values. I have checkboxes that the user can check if he wants that parameter to be shown on the report. Also, the user has 2 dateboxes, a start date/time and an end date/time box where he will enter the timeframe of the records he wants. So from there I build my string that I will then use to set the query text for the data set.
|
|
|
Powered by
FUDForum. Page generated in 0.03421 seconds