Hi,
I am getting an error when I pass string value with single quotes " ' ' " ( e.g " I want 'this' ") from PHP variable to SQL query in CarReport.mrt. It works fine if i pass integer value from php variable like in below;
In php:
car = " where car_id = 1111 ";
but when i pass string with single quotes i get error.
In php:
carColor = " where car_color = 'Cyen' ";
So, how can I pass value with single quotes into sql query?
Query Text in CarReport.mrt;
SELECT * FROM CARS
WHERE {car}
AND {carColor}
i can not pass string with single quotes to sql query.
-
somethingwrong
- Posts: 3
- Joined: Thu Jul 04, 2019 6:17 pm
-
Lech Kulikowski
- Posts: 6245
- Joined: Tue Mar 20, 2018 5:34 am
Re: i can not pass string with single quotes to sql query.
Hello,
By default, parameters passed to the SQL query are escaped for security. You can disable automatic screening by setting the following option:
StiOptions.Engine.escapeQueryParameters = false;
In this case, you need to control, so that using the parameters is not allowed SQL injection.
Thank you.
By default, parameters passed to the SQL query are escaped for security. You can disable automatic screening by setting the following option:
StiOptions.Engine.escapeQueryParameters = false;
In this case, you need to control, so that using the parameters is not allowed SQL injection.
Thank you.