Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > Custom Macro - sqlescape View modes: 
User avatar
Member
Member
nicola.cesaroni-iseaisea - 11/18/2010 6:48:51 PM
   
Custom Macro - sqlescape
Hello,
in the WhereCondition property of a Datalist web part I need insert a long SQL Where condition with a custom macro (there are too many parameters to use querystring), but the final string retrieved has ' changed to '' (to prevent SQL injection) and I receive a SQL error.
I read in forum that custom macros don't use parameters (eg. |(sqlescape)false ) . Any suggestions ?

thanks
Nicola

User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 11/19/2010 3:03:41 AM
   
RE:Custom Macro - sqlescape
Hi,

could you please try to use following custom macro code. In case it will not work for you, could you please post us code of your custom macro?


public static string ResolveCustomMacro(MacroResolver sender, string expression, out bool match)
{
match = false;
string result = expression;

// Add your custom macro evaluation

switch (expression.ToLower())
{
case "mymacro":
match = true;
result = "parameter=\'value\'";
break;
}


return result;
}

Best regards,
Ivana Tomanickova

User avatar
Member
Member
nicola.cesaroni-iseaisea - 11/19/2010 5:50:56 AM
   
RE:Custom Macro - sqlescape
Hi Ivana,
thanks for the fast reply.
My code is like the one above

case "mymacro":
match = true;
result = GetWhereCondition();
break;

and then GetWhereCondition() function returns the SQL where condition like :

city='Milan' and nation='Italy' (it's only for sample)

with debugger result=city='Milan' and nation='Italy'

but explorer (when I open the page with web part) return an SQL error : incorrect sintax ....

city=''Milan'' and nation=''Italy'' (the ' is changed in '' )

best regards
Nicola Cesaroni


User avatar
Kentico Consulting
Kentico Consulting
kentico_mirekr - 11/19/2010 6:33:03 AM
   
RE:Custom Macro - sqlescape
Hi,


Each web part should inherit from CMSAbstractWebPart class like Datalist web part. This CMSAbstractWebPart class contains definition for SQLProperties (this property is mentioned for SQL injection prevention). So, if you are using Datalist web part, please try to use following code in SetupControl method of datalist web part (~\CMSWebParts\Viewers\Documents\cmsdatalist.ascx.cs) code file:


this.SQLProperties = "";


I hope this will help you.

Best regards,
Miroslav Remias.

User avatar
Member
Member
nicola.cesaroni-iseaisea - 11/19/2010 8:27:08 AM
   
RE:Custom Macro - sqlescape
Yes, thanks . Now it's all right.

User avatar
Member
Member
lancetek - 7/3/2011 4:01:26 AM
   
RE:Custom Macro - sqlescape
I got stuck on this for an hour today - is this 'anti-sql injection' feature highlighted in the documentation some somewhere? If not, could it please be highlighted someplace like http://devnet.kentico.com/docs/5_5r2/devguide/index.html?appendix_a___macro_expressions.htm?

Thanks,
Lance

User avatar
Kentico Support
Kentico Support
kentico_radekm - 7/3/2011 6:31:23 PM
   
RE:Custom Macro - sqlescape
Hello.

I am afraid we don´t have this info in our documentation yet, however I did submit it as a requirement and we will consider it. Thank you.

Best Regards,
Radek Macalik