Regarding this post:
http://forum.stimulsoft.com/Default.aspx?g=posts&t=3790
This does not work for me:
Here is what I do:
The SQL is: SELECT * FROM orders WHERE ClientName = {clname}
Then in the url I do
Code: Select all
http://localhost/stimulsoft/index.php?stimulsoft_client_key=VieverFx&stimulsoft_report_key=report1&clname=Stimulsoft
Future investigations on what is happen tell me that the parameter value is never passed to the SQL.
This can be seen easy if you replace the line in sti_mysql_get_data function
$query_result = mysql_query($query, $link) or die("ServerError:Data not found.");
with
$query_result = mysql_query($query, $link) or die("ServerError:Data not found.".$query);
Also the reporter does not recognise if the parameter is string or number
Some notes
I think that this way of passing parameters without using the build in (not in all drivers) bind parameters function driver is very dangerous.
The SQL injection vulnerabilities in your case is quite easy.
I think that there are a two ways of solving this:
1. Using the preopare / bindparameters / execute sequence for passing and executing query.
In this case not all SQL driveres support this - by example MySQL. You should replace it with MySQLi driver
A quite good example of using is a PDO driver :
http://www.php.net/manual/en/pdostatement.bindparam.php
2. The second way is creating your own interaction form where every parameters is passed through the report.
You already have this in Data Source interaction screen -> The button "New Parameter"
IMHO the second way of solving this is preferred one.
And at last and not at least:
You support only GET of getting the parameters. Not all servers support this or at least not all ISP allow this - they allow only POST
In order to solve this I think the sti_get_parameter($parameter_name)
can be extended like this
Code: Select all
function sti_strip($value)
{
if(get_magic_quotes_gpc() != 0)
{
if(is_array($value))
if ( sti_array_is_associative($value) )
{
foreach( $value as $k=>$v)
$tmp_val[$k] = stripslashes($v);
$value = $tmp_val;
}
else
for($j = 0; $j < sizeof($value); $j++)
$value[$j] = stripslashes($value[$j]);
else
$value = stripslashes($value);
}
return $value;
}
function sti_array_is_associative ($array)
{
if ( is_array($array) && ! empty($array) )
{
for ( $iterator = count($array) - 1; $iterator; $iterator-- )
{
if ( ! array_key_exists($iterator, $array) ) { return true; }
}
return ! array_key_exists(0, $array);
}
return false;
}
function sti_get_parameter($parameter_name, $default_value = "")
{
$parameter_value = "";
if(isset($_POST[$parameter_name]))
$parameter_value = sti_strip($_POST[$parameter_name]);
else if(isset($_GET[$parameter_name]))
$parameter_value = sti_strip($_GET[$parameter_name]);
else
$parameter_value = $default_value;
return $parameter_value;
}
$report_key = $_GET["stimulsoft_report_key"];
$client_key = $_GET["stimulsoft_client_key"];
with
$report_key = sti_get_parameter("stimulsoft_report_key");
$client_key =sti_get_parameter("stimulsoft_client_key");
Kind regards
Tony