I know we have a similar question here
Passing a parameter via URL to SQL Server Reporting Services
My issue is if I have a parameter that contains the special character &, how can I pass it via URL?
In the following example (borrowed from the link above), if my UserID parameter has a value of "abc123", I will have the following syntax
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC123&rc:Toolbar=false
But the problem is if I have UserID = "abc&123", with the "&" as a special character, if I still use the previous format, it will fail out
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC&123&rc:Toolbar=false
So how should I handle this "&" in "abc&123" ?
Thanks a lot in advance for your time.
Jeff
I 'think' you'll need to encode the & to '%26'
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC%26123&rc:Toolbar=false
Related
I'm have a SSIS connection string that includes an escape character which is preventing the connection string from working. Does anyone know how to prevent the escape character from being applied?
Here is an example of my database connection: DatabaseServer\DInstanceName
If you're building connection string dynamically from variables or even if you don't, you can use Properties-> Expressions-> Connection string expression where you can test the resulting output of the expression. And use \ to escape any character.
Better approach would be to use SSIS XML Configuration so you don't need to edit your package everytime you need to make some changes in connection string.
the escaping will be "\" it will give you \ but for your connection string I alredy give a solution on you other ques . here also I am pasting the same thing. plz check it :)
I have taken the first parameter for connction string like : "anystaring
and the second parameter for the db is : newdb"
so now check the screenshot I have given the URL(not able to upload the image sorry):
http://tinypic.com/view.php?pic=2v3oj6x&s=8#.VHQ8aSjrbcs
I have a data driven subscription with the file name as one of the columns in the object that SSRS uses to fulfill the subscription.
The file name is the subject of the report. I have tested this a few ways and the error is happening with the file name, not when I pass the item as a parameter.
For example, the report as a single Parameter, Item.
The report is written to a file share:
Path: \\directory\store
Parameter: Item=Blue&White
File Name: Blue&White.pdf
I have tried substituting the "&" with other characters, and of course it works, but it is really important for the file to be named Blue&White.pdf
Any suggestions are appreciated.
I think it is interpreting the '&' as an argument separator as application/x-www-form-urlencoded.
You may want to consider different encoding of the Unicode Character 'AMPERSAND' (U+0026). However since '&' is used as an escape character you options may be limited.
&
%26
\u0026
I am using a data driven subscription and used the SQL command to set the filename. The REPLACE function was used to change '&' to 'and'.
These is one keyword confliction issue in the query module of my application,please see if you can tell me a smart solution.
First,In query module,each query condition contains three parts in UI:
1.field name,its value is fixed,e.g origin,finalDest...
2.operator,it is a select list which includes "like","not like","in","not in","=","!="
3.value,this part is input by user.then in back-end,it will assemble the SQL statement according to UI's query criteria,e.g if user type/select following stuff in UI
Field Name Operator Value
origin like CHI
finalDest in SEL
In back-end,it will generate following SQL:
select * from Booking where origin like '%CHI%' and finalDest in ('SEL').
But there is a bug,e.g if user type some of special symbol in "value",e.g "'","_" etc,it will lead to the generated SQL also contain ' or _ ,e.g:
select * from Booking where origin like '%C_HI%' and finalDest in ('S'EL').
you could see as there is special symbol in "where" block,the SQL can't be executed
For this problem,my solution is add escape character "/" in front of the special symbol before executing it,but what i know is just ' or _ that would conflict with the SQL keywords,do you know if there is any others similar symbol that i need to handle or do you guys have any better idea that can avoid the injection
Sorry,forgot told you what language i am using,i am using java,the DB is mysql,i also use hibernate,there are a lot of people said why i didn't use PreparedStatement,this is a little complex,simply speaking,in my company,we had a FW called dynamic query,we pre-defined the SQL fragment in a XML file,then we will assemble the SQL according to the UI pass in criteria with the jxel expression,as the SQL is kinda of pre-defined stuff,i afraid if change to use PreparedStatement,it will involve a lot of change for our FW,so what we care is just on how to fix the SQL injection issue with a simple way.
The code should begin attempting to stop SQL injection on the server side prior to sending any information to the database. I'm not sure what language you are using, but this is normally accomplished by creating a statement that contains bind variables of some sort. In Java, this is a PreparedStatement, other languages contains similar features.
Using bind variables or parameters in a statement will leverage built in protection against SQL injection, which honestly is going to be better than anything you or I write on the database. If your doing any String concatenation on the server side to form a complete SQL statement, this is an indicator of a SQL injection risk.
0 An ASCII NUL (0x00) character.
' A single quote (“'”) character.
" A double quote (“"”) character.
b A backspace character.
n A newline (linefeed) character.
r A carriage return character.
t A tab character.
Z ASCII 26 (Control+Z). See note following the table.
\ A backslash (“\”) character.
% A “%” character. See note following the table.
_ A “_” character. See note following the table
Reference
Stack Similar Question
You should use bind variables in your SQL statement. As already mentioned this is done with PreparedStatements in Java.
To make sure, only valid column names are used, you can validate the input against the database. MySQL provides schema information like columns of each table as part of the INFORMATION_SCHEMA. For further information, check the MySQL documentation:
"The INFORMATION_SCHEMA COLUMNS Table"
I have in my database a column with the parameters value of an url. I want with an sql query to put those parameters in different columns. I give an example:
I have now a column named parameters with for example this value: pOrgNum=j11000&pLanguage=nl&source=homepage
now I want three columns: pOrgnum | pLanguage | source with the values of my parameters.
The problem is that I don't know the order of my parameters or the length of it, so I can't use for example substring(parameters,9,6) to extract the parameter pOrgnum. can someone help me please?
There's a MySQL UDF that you can use to do exactly this, which also handles decoding the params and handles most character encodings, etc.
https://github.com/StirlingMarketingGroup/mysql-get-url-param
Examples
select`get_url_param`('https://www.youtube.com/watch?v=KDszSrddGBc','v');
-- "KDszSrddGBc"
select`get_url_param`('watch?v=KDszSrddGBc','v');
-- "KDszSrddGBc"
select`get_url_param`('watch?v=KDszSrddGBc','x');
-- null
select`get_url_param`('https://www.google.com/search?q=cgo+uint32+to+pointer&rlz=1C1CHBF_enUS767US767&oq=cgo+uint32+to+pointer&aqs=chrome..69i57.12106j0j7&sourceid=chrome&ie=UTF-8','q');
-- "cgo uint32 to pointer"
select`get_url_param`('/search?q=Na%C3%AFvet%C3%A9&oq=Na%C3%AFvet%C3%A9','q');
-- "Naïveté"
Disclaimer, I am the author.
I achieved this by taking the right of the string after the search parameter, then the left of the resulting string before the first &.
This handles
if the parameter was the last in the url (so no "&" follows it)
if the parameter does not exist (returns blank)
varying lengths of the search string (provided you replace "utm_medium" everywhere)
This finds the value of "utm_medium" in a parameter named url:
IF(locate("utm_medium", url)=0, '', LEFT(RIGHT(url,length(url)-locate("utm_medium",url)-length("utm_medium")),IF(locate("&",RIGHT(url,length(url)-locate("utm_medium",url)-length("utm_medium")))=0,length(RIGHT(url,length(url)-locate("utm_medium",url)-length("utm_medium")+1)),locate("&",RIGHT(url,length(url)-locate("utm_medium",url)-length("utm_medium"))))-1)) utm_medium
To use, find and replace url with your field name, and utm_medium with your url parameter.
May be inefficient, but gets the job done, and couldn't find an easy answer elsewhere
Its code work in mysql:
SELECT substring_index(URL_FIELD,'\',-1) FROM DemoTable;
I want to Remove Invalid unicode Characters from a field in sql server.
How to achieve that?
What exactly do you count as "invalid" characters?
What is the data-type of the field (char/varchar) or (nchar/nvarchar)
What you may find is that this is an instance where a SQLCLR function to take a SqlString as an input and return a SqlString.
You can then use the more powerful .NET String-manipulation, Encoding, and Globalization features.