Problems with the input parameter in the SQL-query service

Forum|Forum|6 years ago
July 19, 2019
1 reply
1698 views

Hi!

I have a service of SQL-query type, which selects all the data from the table of my Access database. If after From I specify the name of the table, the result is correct. But if I use the input parameter (SCP on the screenshot), in which I enter the same table name when executing the service, the result of operation is Null. What could be the reason?

Input parameter.png

Best answer by PaiChung

Input parameter into SQL with [[ ]] are treated as parameters ONLY, you are using it to designate a Table.

You can do this by using << >> which is string substitution.

BUT WARNING - This exposes your data base to SQL string injection!

IE I can specify SCP as 'DROP SCHEMA' and it will drop your schema.

Be sure to always Validate and Secure any Services that use String substitution.

P

PaiChung

Answer

22-Sapphire I

Input parameter into SQL with [[ ]] are treated as parameters ONLY, you are using it to designate a Table.

You can do this by using << >> which is string substitution.

BUT WARNING - This exposes your data base to SQL string injection!

IE I can specify SCP as 'DROP SCHEMA' and it will drop your schema.

Be sure to always Validate and Secure any Services that use String substitution.

Sign up

Please use your PTC eSupport account.

Welcome to the PTC Community

Please use your PTC eSupport account.

Scanning file for viruses.

This file cannot be downloaded