We have a need to supply multiple names when a report is cal...

[Peter Vazny]

We have a need to supply multiple names when a report is called via REST API. The number of names varies. It usually is just one but could go up to 8 or more. I found references to supplying Name1' OR 'Name2, but this does not seem to work because InfoAssist uses QUOTEDSTRING for any parameter in the filter. If I manually edit the fex and remove QUOTEDSTRING it works, but as soon as somebody opens the report in InfoAssist, it breaks.

[Peter Vazny]

Well ok, it is possible via In list filter. Funny thing is that it allows for code injection.

'Joe Shmoe'); WHERE SOMEOTHERFIELD IN ('Something', 'Other'

Who knows where this can be taken

[Warren Hinchliffe]

Here is a bit of a hack

At the effective code will be something like FIELD EQ &VAR.QUOTEDSTRING, you can be sure that quotes will be added.

&VAR = VAL

WHERE MYFIELD EQ VAL

If there are multiple values it would look like this

&VAR = VAL OR VAL2 OR VAL3

WHERE MYFIELD EQ VAL OR VAL2 OR VAL3

The simple solution is to remove the first and last quotes.

&VAR = VAL OR VAL2 OR 'VAL3

WHERE MYFIELD EQ VAL OR VAL2 OR VAL3

As this is a REST API call, I would hope this is possible.

[Peter Vazny]

I believe that QUOTEDSTRING escapes all single quotes by doubling them. So the end result of

&VAR = VAL OR VAL2 OR 'VAL3

would be

WHERE MYFIELD EQ ''VAL'''' OR ''''VAL2'''' OR ''''VAL3''

 

I tested variations of this via the API and the result is the same. I believe that QUOTEDSTRING is there to prevent code injection, besides other things and that is exactly what this hack uses.

It looks like there really isnt a good and secure solution.

[Todd Van Valkenburg]

And another hack. I have seen this behavior as well when an HTML page via a Portal runs a fex. To get around this behavior, I updated the fex WHERE clause to be an OR. Something like

WHERE define_var EQ &prompt_var.(OR(<A,A>,<B,B>)).Prompt goes here:.;

Then re-opening the fex in IA does not add the .QUOTEDSTRING which breaks the report (when run via the portal).

Todd

[David Beagan]

I experimented with ibisamp/ggsales passing multiple region values to an InfoAssis report. I used the in list which can work, as you pointed out, but has the code injection problem. To deal with this code injection, I added the following DEFINE FILE:

OK/I1 = IF &REGION.QUOTEDSTRING CONTAINS '(' THEN 0 ELSE 1;

 

And then create a WHERE statement:

WHERE OK EQ 1;

 

This assumes that the injection attack would contain the character (. Could allow for protection against other characters as necessary.

[Warren Hinchliffe]

The double quotes were just for a -SET command to assign the string to the variable.

The variable should contains VAL OR VAL2 OR VAL3

I have done this before and it works.

[Peter Vazny]

This works in that the report will not display anything if the input field contains open parentheses, but the code still executes in the background. I did some testing and I was not able to inject anything beyond additional where statements, but I am not by any means an experienced user. So proceed with caution.