Pass multiple selections from list box as a parameter to a sql query
I have a listbox that allows the user to select multiple values. I'd like to then pass these values to a sql query as a parameter. I am able to cast the ouput object variable from the form to an array of objects and then loop through that array, get each value and construct a string variable as '6', '8', '10', but I can't successfully then pass that as a parameter to my Sql query. The field is a string so my where is clause is valvesize in (@argSize), but I don't get any results.
1
-
I got this working by using the SQLQueryUnsafe activity instead of the SQLQuery activity. I constructed a string variable that is most of my sql query and then includes my variables that were previously parameters in the SQLQuery activity and use that string variable as my command in the SQLQueryUnsafe activity. wooohoooo. 0 -
Glad you were able to find a workaround.
Is this an internal site or is it open to the public? If open to the public, make sure that you sanitize any posibility of SQL injection.0 -
Yeah internal, thank you. I need to research what sanitizing it means - I saw the many warnings. 0 -
SQL Injection is a common attack for hackers and anytime you use the SQLQuery in Workflow put your worst case scenario hat on. Say you have a workflow with a text input for an address (e.g. "123 Main St"). You send that string to a directly to database with SELECT * FROM addresses WHERE address='123 Main St'SQL Injection happens if I say my address is "123 Main St'; DROP TABLE addresses;-- ?"SELECT * FROM addresses WHERE address='123 Main St'; DROP TABLE addresses;-- ?This would be bad as I just sent two commands into your database. One to execute the query. The second to drop the address table. This is a super simple example but just be careful when using SQLQueryUnsafe.0
Du måste logga in om du vill lämna en kommentar.
Kommentarer
4 kommentarer