If condition in repeater's where clause throwing error

joyanta sen asked on December 7, 2018 00:25

Hi, I am trying the following in Where condition inside Repeater web part but getting error: Message: Invalid SQL query in property "wherecondition".

    {% if (QueryString.GetValue("key", "")!="") {
string.FormatString("(VideoTitle LIKE '%{0}%' OR Description LIKE '%{0}%')", SQLEscape(QueryString.GetValue("key", "")))|(handlesqlinjection)false 
} #%}

When I check the macro in Debug,I didnt see any error and found the proper value in result column.

If I remove the If condition then it is working fine. Could anyone please tell me what am I missing in the where clause?

Thanks.

Correct Answer

Juraj Komlosi answered on December 11, 2018 10:24

Hi Joyanta,

macro parameter (handlesqlinjection)|false has to be used at the end of the whole macro expression.

Instead of:

{% if (QueryString.GetValue("key", "")!="") {string.FormatString("(VideoTitle LIKE '%{0}%' OR Description LIKE '%{0}%')", SQLEscape(QueryString.GetValue("key", ""))) |(handlesqlinjection)false } |(identity)GlobalAdministrator%}

Best regards.

1 votesVote for this answer Unmark Correct answer

Recent Answers

David te Kloese answered on December 7, 2018 00:31

Can you check the disable macro's chekcbox isn't checked:

Image Text

0 votesVote for this answer Mark as a Correct answer

joyanta sen answered on December 7, 2018 00:34

Hi David,

No it is not checked.

Thanks.

0 votesVote for this answer Mark as a Correct answer

Juraj Ondrus answered on December 10, 2018 11:58

Hi,
What is the resulted SQL query in the SQL debug? I would also try using the small black arrow next to the Where condition label to enter the macro condition.

0 votesVote for this answer Mark as a Correct answer

joyanta sen answered on December 12, 2018 18:59

Thanks a lot Juraj, your suggestion helped.

0 votesVote for this answer Mark as a Correct answer

Mirza Syahendra answered on December 21, 2018 00:19 (last edited on December 10, 2019 02:31)

hi guys,

can you please confirm if this code that you have provided above safe from SQL injection?

{% if (QueryString.GetValue("key", "")!="") { string.FormatString("(VideoTitle LIKE '%{0}%' OR Description LIKE '%{0}%')", SQLEscape(QueryString.GetValue("key", ""))) } |(handlesqlinjection)false |(identity)GlobalAdministrator%}

correct me if i'm wrong, by using SQLEscape will prevent any SQL injection as we by passed it using |(handlesqlinjection)false ?

thanks in advance

0 votesVote for this answer Mark as a Correct answer

Juraj Komlosi answered on January 7, 2019 12:51

Hi Mirza,

sorry for the delayed answer. Yes, you are right. Your macro is safe from SQL injection because SQLEscape method escapes apostrophes.

Best regards,

Juraj

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.