Warningpanel |
---|
borderColortitle | Green |
---|
borderWidth | 1 |
---|
titleBGColor | #ddffcc |
---|
borderStyle | solid |
---|
title | DefinitionPrevent SQL injection |
|
When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query! Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.
Example of VULNERABLE query: SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id#'
To fix this, use ?sql hash variable escape: SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id?sql#'
|
Introduction
English |
---|
JDBC Datalist Action allows you to perform SQL queries on the current or custom datasource as one (a row action and ) or more records (a bulk action) in your datalist. |
Panel |
---|
borderColor | purple |
---|
borderWidth | 1 |
---|
titleBGColor | #ddccff |
---|
borderStyle | solid |
---|
title | New Feature |
---|
|
This is a new feature in Joget Workflow v6. |
...
Figure 1 : Hyperlink in the row action placeholder and in the bulk action placeholder in the datalist builder
Image Removed
You can specify which database to perform the SQL function, either the current Joget database (default datasource) or a custom datasource (external database). JDBC Datalist Action can be used to delete records or perform an update on one or more records based on user selection in the datalist checkboxes. |
JDBC Datalist Action Properties
Configure JDBC Datalist Action
Image Added
Figure 1 : JDBC Action Menu
Image Added
Figure 2 : JDBC Datalist Action
Properties
Link / Button Datalist button label. |
Confirmation Message | Confirmation message before performing action, for example "Are you sure?". |
Datasource | Target database to execute SQL statements on. Choices:- - Custom Datasource
- JDBC Connection Parameters are needed for this choice.
- Default Datasource
|
By selecting Default Datasource, the - Points to the current database your copy of Joget
|
is currently using will be selectedCustom JDBC Driver. This field is required when Custom Datasource is selected in Datasource aboveJDBC driver name. Example values: - com.mysql.jdbc.Driver (MySQL)
- oracle.jdbc.driver.OracleDriver (Oracle)
- com.microsoft.sqlserver.jdbc.SQLServerDriver (Microsoft SQL Server)
Only applicable to "Custom Datasource" option. |
Custom JDBC URL |
Custom JDBC URL. This field is required when Custom Datasource is selected in Datasource aboveDatabase connection URL. Example: jdbc:mysql://localhost:3306/jwdb Only applicable to "Custom Datasource" option. |
Custom JDBC Username |
Custom JDBC Username. This field is required when Custom Datasource is selected in Datasource aboveDatabase username. Example: root Only applicable to "Custom Datasource" option. |
Custom JDBC Password |
Custom JDBC Password. This field is required when Custom Datasource is selected in Datasource aboveSpecified database user's password. Only applicable to "Custom Datasource" option. Info |
---|
title | Test the connection parameters |
---|
| Click on the "Test Connection" button at the bottom of the page to quickly test out your configurations. |
|
Query | Note |
---|
If a column name contains reserved keywords, do ensure it is encapsulated properly. For example for MySQL, if the column identifier itself contains a dot symbol ( . ), it should be encapsulated like this: Code Block |
---|
| SELECT `myAppName.myColumn` FROM app_fd_myTable; |
|
Insert your SQL statement here. Use syntax like {id} in query to inject the selected row key. Use {uuid} to generate a unique id (or primary key). Examples: |
Sample | INSERT INTO
app_fd_sample (id, c_clicked)
VALUES
(
{uuid}, {id}
) |
|
;Sample | UPDATE
app_fd_sample
SET
c_clicked = CONCAT(c_clicked, ',', {id})
WHERE
id = {id} |
Code Block |
---|
language | sql |
---|
title | Example |
---|
linenumbers | true |
---|
| DELETE
FROM
app_fd_myTable
WHERE
id = |
|
'123'; Info |
---|
title | Table & Column Naming |
---|
| - For database tables created by Joget Forms, Joget adds a "c_" in front of table column names (or "t_" if your column name starts with a number) and "app_fd_" in front of database table names.
- If you use environment hash variables to store SQL query strings, in your hash variable, use "?noescape" to escape SQL query strings in JDBC binders to prevent the "<>" "not equal" operator from being converted, i.e. disables XSS prevention checking. Read here for more information..
|
Info |
---|
| The special parameters {id} and {uuid} will be replaced with actual values through the use of PreparedStatement. |
|
As As you can see from the example above, there is no need to encapsulate both of these special keywords with quotes. |
|
Image Removed
Figure 3 : JDBC Datalist Action Properties - Visibility Control
Related JDBC Binders & Useful Links
Download Demo App
APP_datalist_using_jdbc_dx_kb.jwa
...