Creating reports and dashboards | Stimulsoft community forum

Reporting tool and data analytics tools for creating reports and dashboards in ASP.NET, ASP.NET MVC, .NET Core, Blazor, Angular, PHP, Python, WPF, JavaScript, and Java applications.
https://forum.stimulsoft.com/

i can not pass string with single quotes to sql query.

https://forum.stimulsoft.com/viewtopic.php?t=57514

Page 1 of 1

i can not pass string with single quotes to sql query.

Posted: Thu Jul 04, 2019 6:44 pm
by somethingwrong
Hi,

I am getting an error when I pass string value with single quotes " ' ' " ( e.g " I want 'this' ") from PHP variable to SQL query in CarReport.mrt. It works fine if i pass integer value from php variable like in below;
In php:
car = " where car_id = 1111 ";

but when i pass string with single quotes i get error.
In php:
carColor = " where car_color = 'Cyen' ";

So, how can I pass value with single quotes into sql query?
Query Text in CarReport.mrt;
SELECT * FROM CARS
WHERE {car}
AND {carColor}

Re: i can not pass string with single quotes to sql query.

Posted: Fri Jul 05, 2019 10:31 am
by Lech Kulikowski
Hello,

By default, parameters passed to the SQL query are escaped for security. You can disable automatic screening by setting the following option:
StiOptions.Engine.escapeQueryParameters = false;

In this case, you need to control, so that using the parameters is not allowed SQL injection.

Thank you.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited