Change default query format

Chris Roberts

26 Mars 2018 04:32

There has been some isses reported on our exrernal facing application when users are trying to query using 'Contains' and 'Does not Contain' options and they are being blocked. What I have found out is that its to do with the LIKE expression and the % wildcard is a blacklisted character by the network F5 confirguration. The Network managers wont change this policy as far as the policy is concerned it looks like a "SQL Injection" attack. Therfore, any LIKE comparison wont get past our DMZ-e front end.

 

They did suggest a work around by rewriting the query using an Oracle regular expression to return the same result:

 

eg where=(LOWER(HUNDRED) LIKE LOWER('%APPILA%')) is rewritten as where=REGEXP_LIKE(LOWER(HUNDRED), LOWER('APPILA'))

 

I did have a go at editing  at the "viewModelId": "SimpleQueryBuilderViewModel" section in the desktop.json file, but couldn't seem to get it to work. I changed "textComparisonQueryFormat": LOWER({0}) LIKE LOWER({1}) to .... "textComparisonQueryFormat": REGEXP_LIKE(LOWER({0}), LOWER({1})) not really sure if thats the appropriate place to do this change if it is at all possible.

 

My other option is just to remove the contains and does not contain options from the Query options.  Is this possible to do for a specific site?  Again I have had a look at the desktop.json file but cant see anything in there that might be the go.

0

• 

  Aaron Oxley

  25 Juni 2018 22:54

  Hi Chris,

   

  I've investigated this behaviour, here are my findings: 

   

  (1) The change you made to the ViewModel in desktop.json, modifying the "textComparisonQueryFormat", is almost there. The problem is that it requires a regular expression in the pattern - your users would have to enter their search terms in regular expressions, which is probably not a reasonable ask for the average user.

  (2) The Contains and Does Not Contain options can not easily be removed. They are embedded in the code, it would require expert manipulation to get those removed while preserving functionality of the other operators. Keep in mind - Start With and Ends With also convert to LIKE expressions, you'd only have "=" and "!=" left. If you are interested in getting this done, the best first step would be contacting your Account Manager to initiate a discussion with our Services team. 

   

  Thanks,

   

  Aaron Oxley

  0

Du måste logga in om du vill lämna en kommentar.