Using string variable as a parameter in SQL query

[kgb2013]

Hello I am trying to insert a string valiable as a parameter to an SQL query.
I have tried the type of varchar and others for the parameter type, but I get an exception:

Failed to convert parameter value from a EkkremDataSource to a String.

Am I missing sth?
I am trying to avoid putting the variable in the query directly (with {variableName}), because the string comes from the user and I want to avoid SQL injection attacks.
(I have set the size for varchar to 200.)

[kgb2013]

Now I have also tried the Variant type, but I got another exception:

No mapping exists from object type Reports.Report+EkkremDataSource to a known managed provider native type.

[kgb2013]

Is there at least a method of making the direct use of the string variable safe?
Something like that ? :

SELECT *
FROM ...
WHERE Title LIKE '{myStringVariable.MakeSecure()}'

[Alex K.]

Hello,

We couldn't reproduce this bug.
Please send us a sampel project with test data which reproduce the issue for analysis.

Thank you.

[kgb2013]

Hello.

In the picture that you have attached, you are using the variable directly.
I get the string from user intput. If the user types:

Hello world ' test.

..won't the single quote (') create any problems?


I was trying to use the string variable through a parameter instead:

St6.PNG (24.39 KiB) Viewed 6049 times

Also, now that I have tried using it directly it seems to have the same problem.

I send you a demo project with two MRT files. One is using parameter for the string and the other the variable (directly).
Neither of them sends the query to the DB. The one that uses the variable throws the Exception given above, while the other doesn't seem to throw in this demo, but it does in my real project. Either way, it doesn't send the query to the DB either.
http://speedy.sh/Ur9VV/TestStimulsoft-2.zip
I don't know if I am missing sth.

[Alex K.]

Hello,

Please try to rename your parameter and variable. The "sender" is reserved word.

Thank you.

[kgb2013]

Oh!
Thank you.
Now it works.
It seems I am very unlucky at picking names...

[kgb2013]

Sorry to tell you this, but now I have another issue. When doing this:

SELECT ... WHERE dc.Sender LIKE ('%' + @Sender + '%')

The query that gets sent to the database is this:

SELECT ... WHERE dc.Sender LIKE (''%'' + @Sender + ''%'')

Meaning, it doubles the single quotes and I have two single quotes instead of one at each side ot the % character.
Any idea why it is doing that and what I can do to avoid this?
Perhaps, I could use another VarChar parameter with Expression = %, but isn't there a better way?
Thanks and sorry for bugging you so much.

[Alex K.]

Hello,

Please try to use this expression in paramaters value, not in sql query.

Thank you.

[kgb2013]

Thanks.
That works great.