cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Community Tip - Have a PTC product question you need answered fast? Chances are someone has asked it before. Learn about the community search. X

executing a sql query constructed dynamically fails

Go to solution
rkandasamy-2
1-Newbie
1-Newbie
‎May 29, 2017 07:07 AM
‎May 29, 2017 07:07 AM

executing a sql query constructed dynamically fails

Hi Pai,

I have written a thingworx service as follows,

GetDetails:

String = "select * from sample;";

var params = {

  fullQueryString: String /* STRING */

};

// result: INFOTABLE dataShape: "undefined"

var result = me.SQLQuery(params);

I have written an SQLQuery   (SQL)as follows,

[[fullQueryString]]


But when i execute the root javascript service "GetDetails" i am getting the error as follows,

Error executing service

Wrapped org.postgresql.util.PSQLException: ERROR: syntax error at or near "$1" Position: 1 Cause: ERROR: syntax error at or near "$1" Position: 1

Please let me know if  i am missing anything.

Labels:
0 Kudos
Notify Moderator
1 ACCEPTED SOLUTION

Accepted Solutions
supandey
19-Tanzanite
19-Tanzanite
(To:rkandasamy-2)
‎May 30, 2017 07:38 AM
‎May 30, 2017 07:38 AM

Does the error remains the same? Did you also test with <<query >> instead of [[query]] ? I think in the past i have tested the substitution with <<>> which worked. Which was also discussed in the old thread Re: How can I execute a sql query constructed dynamically? where you posted this question previously.

If you'll check Pai's response in that thread he highlighted the fact that << >> means String substitution contrary to [[ ]] which also leads to next important point that please do ensure that there is proper validation to prevent against the SQL injection (do refer to the response from Pai in that thread for more)

Hope this helps.

View solution in original post

Notify Moderator
4 REPLIES 4
supandey
19-Tanzanite
19-Tanzanite
(To:rkandasamy-2)
‎May 29, 2017 07:19 AM
‎May 29, 2017 07:19 AM

Radhakrishnan, not sure if it'll help but did you test without the ";" within the double quotation mark?

0 Kudos
Notify Moderator
rkandasamy-2
1-Newbie
1-Newbie
(To:supandey)
‎May 30, 2017 07:26 AM
‎May 30, 2017 07:26 AM

Hi Sushant,

I have tried with out semicolon as well but still it is not working. To keep it simple, i directly tried to run the query service alone where just [[fullQueryString]] is given. I have just passed both 'select * from sample' and select * from sample;'. But still both the ways are not working.

In the query service, if i give directly as 'select * from sample'   (without quotes)  it works.

If possible,Please try once from you end and confirm if you are execute with just [[fullQueryString]] param.

0 Kudos
Notify Moderator
supandey
19-Tanzanite
19-Tanzanite
(To:rkandasamy-2)
‎May 30, 2017 07:38 AM
‎May 30, 2017 07:38 AM

Does the error remains the same? Did you also test with <<query >> instead of [[query]] ? I think in the past i have tested the substitution with <<>> which worked. Which was also discussed in the old thread Re: How can I execute a sql query constructed dynamically? where you posted this question previously.

If you'll check Pai's response in that thread he highlighted the fact that << >> means String substitution contrary to [[ ]] which also leads to next important point that please do ensure that there is proper validation to prevent against the SQL injection (do refer to the response from Pai in that thread for more)

Hope this helps.

Notify Moderator
rkandasamy-2
1-Newbie
1-Newbie
(To:supandey)
‎May 30, 2017 08:43 AM
‎May 30, 2017 08:43 AM

Thanks for the prompt reply Sushant. I am able to dynamically pass the query and execute the same by using the query as <<>>.

Regarding SQL injection, the control is at the service level and not at the query level. So Apart from using System User to restrict the SQL injection at service level, if there are any other methods to control at the query level or any other steps to be taken care, Please update here.

0 Kudos
Notify Moderator
Top Tags