Roy, What you are seeing is what is designed.
We protect you against illegal SQL or someone trying to play with breaking your SQL by sticking SQL inside other SQL by properly protecting against any bad SQL by always quoting any text substituted into the command. This prevents anyone from mis-appropriating your SQL command with bad text. Now, you also found that we gave you an out. If you as Administrator make the ENTIRE SQL command a substitution, then we give up and say you are substituting the entire command so you must know what you are doing and we assume you are doing whatever protecting from bad SQL the customer may do. For those who wonder "what does he mean bad sql"? What if you had a command like the following: SELECT a FROM b WHERE ColName = '$subs parameter$' If the user would enter aa'; DROP TABLE xx; Select a from b where ColName = 'xyz as the data value for subs paramter.... They can "complete the command", issue another SQL command, and then do something so that the command is valid again to avoid an error. This would allow bad SQL to be submitted by the customer. By always quoting and escaping any user quotes, we prevent that. If you create the entire command yourself, you have to protect against the end user entering text that is like the above that could affect your SQL command syntax.... I hope this explaination helps with why the system works the way it does. Doug Mueller -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Ashcraft, Roy W CTR USAF AFWA 2 SYOS/SYOE Sent: Wednesday, September 22, 2010 7:07 AM To: [email protected] Subject: Re: Set Fields from SQL Never mind. A coworker suggested trying to build the enter SQL query in a separate character field and then substitute that into the SQL set fields rather than building it piecemeal there. That worked, it did not escape the single quotes using this action. Thanks, Roy //SIGNED// ROY ASHCRAFT, Contractor, 2 SOS/SYOE Remedy ARS Support, SAIC (402) 294-8225, DSN 271-8225 [email protected] -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Ashcraft, Roy W CTR USAF AFWA 2 SYOS/SYOE Sent: Wednesday, September 22, 2010 8:59 AM To: [email protected] Subject: Set Fields from SQL ---------------------- Information from the mail header ----------------------- Sender: "Action Request System discussion list(ARSList)" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
