when using SuiteQL, is there a way to properly san...
# suitescripte
eliyahu moskowitz
09/07/2022, 4:22 PMwhen using SuiteQL, is there a way to properly sanitize query strings, ideally for ALL potentially problematic/unsafe characters, such as single quotes like O'Reilly. i know that making it '', helps that but is there is a way to sanitize ALL potentially problematic/unsafe characters?
e
ec
09/07/2022, 4:25 PMyou mean in the WHERE clause? Are you using parameters?
e
eliyahu moskowitz
09/07/2022, 4:26 PMyes WHERE blank IN ('O'Reilly')
e
ec
09/07/2022, 4:26 PMAre you using parameters, or building the query string manually?
e
eliyahu moskowitz
09/07/2022, 4:26 PMparameters
e
ec
09/07/2022, 4:26 PMusing * as the param
ec
09/07/2022, 4:26 PMstill poses an issue?
e
eliyahu moskowitz
09/07/2022, 4:27 PMwhaddaya mean by params
eliyahu moskowitz
09/07/2022, 4:27 PMim doing: WHERE blank IN ('${param}')
e
ec
09/07/2022, 4:27 PMquestion mark instead
e
eliyahu moskowitz
09/07/2022, 4:28 PMand then where is the param?
e
ec
09/07/2022, 4:28 PMdepends - share code?
e
eliyahu moskowitz
09/07/2022, 4:30 PMim using runsuiteql
e
ec
09/07/2022, 4:30 PMmessage has been deleted
ec
09/07/2022, 4:31 PMso, if you pass the query as IN (?) perhaps and then set the parameters option, you should be good to go
e
eliyahu moskowitz
09/07/2022, 4:32 PMgotcha, thanks!!
e
ec
09/07/2022, 4:32 PMvar oreilly = “O’Reilly”; or ’O\‘Reilly’;
then
q.params = [oreilly];
ec
09/07/2022, 4:32 PMok
e
eliyahu moskowitz
09/07/2022, 4:35 PMbut im passing an array - so the params needs an array or the string which would have gone there?
e
ec
09/07/2022, 4:35 PMoh. array for the IN … so we’re back to square one
ec
09/07/2022, 4:36 PMhow about outputting the array as strings, that should work
e
eliyahu moskowitz
09/07/2022, 4:36 PM'a', 'b', 'c'? or ['a', 'b', 'c']?
cuz without params i do as strings
e
ec
09/07/2022, 4:40 PMok, so if you know the length of the array, you can output like so:
WHERE blah blah blah IN (?, ?, ?, ?, ?)
by simply printing ?, for the length of the array
Then pass the array to the query call
ec
09/07/2022, 4:41 PMwill that work? idea of parameters is to avoid sql injection, etc
e
eliyahu moskowitz
09/07/2022, 4:52 PMworks, but a crazy way to do it.
do you know for sure that this protects from ALL problems like single quotes and stuff?
e
ec
09/07/2022, 4:53 PMnope! try it. break it. 🙂
m
michoel
09/07/2022, 4:53 PMWHERE blank IN ('${params.map(a => '?').join(",")}')
e
ec
09/07/2022, 4:54 PMthanks, @michoel that’s it… I think that is what he is doing now, right?
e
eliyahu moskowitz
09/07/2022, 4:56 PM Copy code
('${params.map(a => '?').join(",")}')m
michoel
09/07/2022, 4:56 PMyeah sorry it's 3 am here
e
ec
09/07/2022, 4:56 PMi would think so yea
e
eliyahu moskowitz
09/07/2022, 4:56 PMthe ? should be a variable, not a sting of '?'
e
ec
09/07/2022, 4:56 PMhaha go to sleep michoel
m
michoel
09/07/2022, 4:56 PMi wish
e
ec
09/07/2022, 4:57 PMthe output is ? but the map function looks correct
ec
09/07/2022, 4:57 PMtry it in plain old console - the result should look as we described it earlier
ec
09/07/2022, 4:58 PMWHERE blah blah blah IN (?, ?, ?, ?, ?)e
eliyahu moskowitz
09/07/2022, 4:58 PMbut the param variables need to all be legit strings, not 'o'reilly'
e
ec
09/07/2022, 4:59 PMMichoel was just describing how to get the WHERE clause to print properly, then you pass the array to the “params” parameter/option. the array contains strings.
ec
09/07/2022, 5:00 PMSQL then understands how to read ’em.
e
eliyahu moskowitz
09/07/2022, 5:02 PM Copy code
.runSuiteQL({
query: `SELECT blank FROM blank
WHERE LOWER(blank) IN (?,?) OR LOWER(blank) IN (?,?)`,
params: ["o'<mailto:brain@gmail.com|brain@gmail.com>", '<mailto:jj@g.com|jj@g.com>', "o'<mailto:brain@gmail.com|brain@gmail.com>", '<mailto:jj@g.com|jj@g.com>']
})eliyahu moskowitz
09/07/2022, 5:02 PMworks, tx!
e
ec
09/07/2022, 5:06 PM😉
5 Views