Passing SQL Parameters problem

Stimulsoft Reports.PHP discussion
Post Reply
tony.tomov
Posts: 72
Joined: Mon Jun 07, 2010 2:39 am

Passing SQL Parameters problem

Post by tony.tomov »

Hello Andrew,
Regarding this post:
http://forum.stimulsoft.com/Default.aspx?g=posts&t=3790

This does not work for me:
Here is what I do:

The SQL is: SELECT * FROM orders WHERE ClientName = {clname}

Then in the url I do

Code: Select all

http://localhost/stimulsoft/index.php?stimulsoft_client_key=VieverFx&stimulsoft_report_key=report1&clname=Stimulsoft
The result is : "Data not found".

Future investigations on what is happen tell me that the parameter value is never passed to the SQL.
This can be seen easy if you replace the line in sti_mysql_get_data function

$query_result = mysql_query($query, $link) or die("ServerError:Data not found.");
with
$query_result = mysql_query($query, $link) or die("ServerError:Data not found.".$query);

Also the reporter does not recognise if the parameter is string or number

Some notes
I think that this way of passing parameters without using the build in (not in all drivers) bind parameters function driver is very dangerous.
The SQL injection vulnerabilities in your case is quite easy.

I think that there are a two ways of solving this:

1. Using the preopare / bindparameters / execute sequence for passing and executing query.
In this case not all SQL driveres support this - by example MySQL. You should replace it with MySQLi driver
A quite good example of using is a PDO driver :
http://www.php.net/manual/en/pdostatement.bindparam.php

2. The second way is creating your own interaction form where every parameters is passed through the report.
You already have this in Data Source interaction screen -> The button "New Parameter"

IMHO the second way of solving this is preferred one.

And at last and not at least:
You support only GET of getting the parameters. Not all servers support this or at least not all ISP allow this - they allow only POST

In order to solve this I think the sti_get_parameter($parameter_name)
can be extended like this

Code: Select all

function sti_strip($value)
{
	if(get_magic_quotes_gpc() != 0)
  	{
    	if(is_array($value))
			if ( sti_array_is_associative($value) )
			{
				foreach( $value as $k=>$v)
					$tmp_val[$k] = stripslashes($v);
				$value = $tmp_val; 
			}
			else  
				for($j = 0; $j < sizeof($value); $j++)
        			$value[$j] = stripslashes($value[$j]);
		else
			$value = stripslashes($value);
	}
	return $value;
}

function sti_array_is_associative ($array)
{
    if ( is_array($array) && ! empty($array) )
    {
        for ( $iterator = count($array) - 1; $iterator; $iterator-- )
        {
            if ( ! array_key_exists($iterator, $array) ) { return true; }
        }
        return ! array_key_exists(0, $array);
    }
    return false;
}




function sti_get_parameter($parameter_name, $default_value = "")
{
    $parameter_value = "";
    if(isset($_POST[$parameter_name]))
        $parameter_value = sti_strip($_POST[$parameter_name]);
    else if(isset($_GET[$parameter_name]))
        $parameter_value = sti_strip($_GET[$parameter_name]);
    else
        $parameter_value = $default_value;
    return $parameter_value;
}


And then in the beginning of the index.php file replace:

$report_key = $_GET["stimulsoft_report_key"];
$client_key = $_GET["stimulsoft_client_key"];
with

$report_key = sti_get_parameter("stimulsoft_report_key");
$client_key =sti_get_parameter("stimulsoft_client_key");


Kind regards
Tony
Andrew
Posts: 4108
Joined: Fri Jun 09, 2006 3:58 am

Passing SQL Parameters problem

Post by Andrew »

Hello, Tony

Many thanks for the detailed analysis and ways shown for improving the product. We apply these solutions in the next releases.

Thank you.
Post Reply