Data Driven Subscription Special Characters needed in File Name - reporting-services

I have a data driven subscription with the file name as one of the columns in the object that SSRS uses to fulfill the subscription.
The file name is the subject of the report. I have tested this a few ways and the error is happening with the file name, not when I pass the item as a parameter.
For example, the report as a single Parameter, Item.
The report is written to a file share:
Path: \\directory\store
Parameter: Item=Blue&White
File Name: Blue&White.pdf
I have tried substituting the "&" with other characters, and of course it works, but it is really important for the file to be named Blue&White.pdf
Any suggestions are appreciated.

I think it is interpreting the '&' as an argument separator as application/x-www-form-urlencoded.
You may want to consider different encoding of the Unicode Character 'AMPERSAND' (U+0026). However since '&' is used as an escape character you options may be limited.
&
%26
\u0026

I am using a data driven subscription and used the SQL command to set the filename. The REPLACE function was used to change '&' to 'and'.

Related

Passing a parameter via URL to SQL Server Reporting Services when a parameter value contains special character &

I know we have a similar question here
Passing a parameter via URL to SQL Server Reporting Services
My issue is if I have a parameter that contains the special character &, how can I pass it via URL?
In the following example (borrowed from the link above), if my UserID parameter has a value of "abc123", I will have the following syntax
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC123&rc:Toolbar=false
But the problem is if I have UserID = "abc&123", with the "&" as a special character, if I still use the previous format, it will fail out
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC&123&rc:Toolbar=false
So how should I handle this "&" in "abc&123" ?
Thanks a lot in advance for your time.
Jeff
I 'think' you'll need to encode the & to '%26'
http://server.domain.com/ReportServer?/ReportFolder1/ReportSubfolder1/ReportName&UserID=ABC%26123&rc:Toolbar=false

In Mediawiki, between PAGENAME, PAGENAMEE and urlencode, which one is actually stored in the Page table?

In the pages I've checked, they all return the same thing, but the Mediawiki documentation says there are differences.
I'm not worried about the differences, but which one is actually stored in the page table?
Neither of them. The internal representation ("DB key form") is title without namespace (it's stored separately as a number in page_namespace), spaces replaced with underscores. The code is here. Thus it's neither {{PAGENAME}} which is human-readable title, nor {{PAGENAMEE}} which is {{#urlencode:{{PAGENAME}}}} with special case for spaces -> underscores.
Got it. I saved the page "Texas A & M" and in the page table it shows as "Texas_A_&_M".
According to Mediawiki's Manual:PAGENAMEE_encoding page (I can't post more than two links), PAGENAME is the only one that will convert an ampersand to & while the others convert it to %26.
The following is still not correct!
I thought it was PAGENAME, but PAGENAME actually doesn't replace the spaces with underscores.
Instead, I found here and here that you can access the string that is stored in the Page table by using this:
$dbk = $title->getDBkey();
That snippet is pulled straight from Mediawiki code.
It doesn't appear there is a Magic Word associated with this key.
I can't find where the page_title in the database comes from, but it looks like it's simply the page name with the spaces, quotes, and ampersand replaced. Maybe it's database dependent. I'm using MySQL.

smart solution of SQL injection

These is one keyword confliction issue in the query module of my application,please see if you can tell me a smart solution.
First,In query module,each query condition contains three parts in UI:
1.field name,its value is fixed,e.g origin,finalDest...
2.operator,it is a select list which includes "like","not like","in","not in","=","!="
3.value,this part is input by user.then in back-end,it will assemble the SQL statement according to UI's query criteria,e.g if user type/select following stuff in UI
Field Name Operator Value
origin like CHI
finalDest in SEL
In back-end,it will generate following SQL:
select * from Booking where origin like '%CHI%' and finalDest in ('SEL').
But there is a bug,e.g if user type some of special symbol in "value",e.g "'","_" etc,it will lead to the generated SQL also contain ' or _ ,e.g:
select * from Booking where origin like '%C_HI%' and finalDest in ('S'EL').
you could see as there is special symbol in "where" block,the SQL can't be executed
For this problem,my solution is add escape character "/" in front of the special symbol before executing it,but what i know is just ' or _ that would conflict with the SQL keywords,do you know if there is any others similar symbol that i need to handle or do you guys have any better idea that can avoid the injection
Sorry,forgot told you what language i am using,i am using java,the DB is mysql,i also use hibernate,there are a lot of people said why i didn't use PreparedStatement,this is a little complex,simply speaking,in my company,we had a FW called dynamic query,we pre-defined the SQL fragment in a XML file,then we will assemble the SQL according to the UI pass in criteria with the jxel expression,as the SQL is kinda of pre-defined stuff,i afraid if change to use PreparedStatement,it will involve a lot of change for our FW,so what we care is just on how to fix the SQL injection issue with a simple way.
The code should begin attempting to stop SQL injection on the server side prior to sending any information to the database. I'm not sure what language you are using, but this is normally accomplished by creating a statement that contains bind variables of some sort. In Java, this is a PreparedStatement, other languages contains similar features.
Using bind variables or parameters in a statement will leverage built in protection against SQL injection, which honestly is going to be better than anything you or I write on the database. If your doing any String concatenation on the server side to form a complete SQL statement, this is an indicator of a SQL injection risk.
0 An ASCII NUL (0x00) character.
' A single quote (“'”) character.
" A double quote (“"”) character.
b A backspace character.
n A newline (linefeed) character.
r A carriage return character.
t A tab character.
Z ASCII 26 (Control+Z). See note following the table.
\ A backslash (“\”) character.
% A “%” character. See note following the table.
_ A “_” character. See note following the table
Reference
Stack Similar Question
You should use bind variables in your SQL statement. As already mentioned this is done with PreparedStatements in Java.
To make sure, only valid column names are used, you can validate the input against the database. MySQL provides schema information like columns of each table as part of the INFORMATION_SCHEMA. For further information, check the MySQL documentation:
"The INFORMATION_SCHEMA COLUMNS Table"

SSIS how to convert string (DT_STR) to money (DT_CY) when source has more than 2 decimals

I have a source flat file with values such as 24.209991, but they need to load to SQL Server as type money. In the DTS (which I am converting from), that value comes across as 24.21. How do I convert that field in SSIS?
Right now, I am just changing the type from DT_STR to DT_CY, and it gives a run error of 'Data conversion failed. The data conversion for column "Col003" returned status value 2 and status text "The value could not be converted because of a potential loss of data.".'
Do I use a Data Conversion task? And then what?
I've also tried setting the source output column to DT_NUMERIC, and then convert that to DT_CY, with the same result.
I've also tried using Derived Columns, casting the DT_STR field Col003 to (DT_NUMERIC,10,2)Col003 and then casting that to (DT_CY)Col003_Numeric. That's getting a cast error.
The flat file defaults to all fields being DT_STR. Use the Advanced option on editing the connection to have the numeric field as float (DT_R4). Then, in the advanced editing of the Flat File Source (on the Data Flow tab), set that output column to money (DT_CY).
Then, the field will convert without any additional conversions. The issue was leaving the source file definition as DT_STR.
If you don't have any null value use Data Conversion, and make sure you don't have any funny character (e.g. US$200 produce error)
If you have null or empty fields in your field and you are using Flat file source, make sure that you tick "Return null value from source.."
Another trick I have used is something like: (taxvalue != "" ? taxvalue : NULL(DT_WSTR,50)). in Derived Column transformation (you can just replace the field)
Generally SSIS doesn't convert empty strings to money properly.
For some reason in my scenario, the OLE DB Destination actually was configured to accept a DT_CY. However, casting to this format (no matter the length of the input and destination data, and no matter wether or not the data was NULL when it arrived) always caused the same issue.
After adding data viewers, I can conclude that this has something to do with the locale. Here in Denmark, we use comma (,) as decimal delimiters and dots (.) as thousands-delimiters, instead of the opposite.
This means that a huge number like 382,939,291,293.38 would (after the conversion to DT_CY) look like 382.939.291.293,38. Even though I highly doubted that it could be the issue, I decided to do the opposite of what I originally had intended.
I decided to go to the advanced settings of my OLE DB Destination and change the DT_CY column's type to DT_STR instead. Then, I added a Derived Column transformation, and entered the following expression to transform the column before the data would arrive at the destination.
REPLACE(SUBSTRING(Price, 2, 18), ",", ".") where Price was the column's name.
To my big surprise, this solved the problem, since I figured out that my OLE DB Destination was now sending the data as a string, which the SQL Server understood perfectly fine.
I am certain that this is a bug! I was using SQL Server 2008, so it might have been solved in later editions. However, I find it quite critical that such an essential thing is not working correctly!

SSIS connection expression problem

Im trying to use an expression to a sub package in SSIS however it always errors out stating that it cannot find the dtsx file. Ive copied the path to explorer and it seems to be correct.
The error also states that expression cannot be written to the property. My code is below.
#[User::vRoot] + "\Employees.dtsx" with #[User::vRoot] being a variable stored in SQL
Any Ideas
Try to escape the backslash in the expression using an additional backslash.
#[User::vRoot] + "\\Employees.dtsx"
In such a scenario where I need to concatenate folder and file name, I always do it this way. I usually create two variables named FolderPath and FileName. Let's assume FolderPath contains C:\temp\ (make sure it ends with a back slash) and FileName contains Employees.dtsx.
I will create a third variable named FilePath and will set the EvaluateAsExpression property of this variable to true. I will set the following expression in this variable so it dynamically evaluates the value.
#[User::FolderPath] + #[User::FileName]
Hope that helps.
Backslash is an escape character here, so if you want to represent a literal backslash, it's "\\".
I also suggest, as a general rule, instead of hardcoding a backslash in the string concatenation, to use this method to consider potential trailing backslashes in the first variable:
#[User::vRoot] + (RIGHT(#[User::vRoot], 1) == "\\" ? "" : "\\") + "Employees.dtsx"