When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query! Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable. Example of VULNERABLE query :
To fix this, use ?sql hash variable escape:
|
Database SQL Query Options allows you to retrieve form option records from Joget or a custom database via user-defined SQL query statements. |
Figure 1: Database SQL Query Options Properties
Name | Description | ||||||
---|---|---|---|---|---|---|---|
Datasource | Target database to execute SQL statements on. Choices:-
| ||||||
Custom JDBC Driver | JDBC driver name. Example values:
Only applicable to "Custom Datasource" option. | ||||||
Custom JDBC URL | Database connection URL. Example: Only applicable to "Custom Datasource" option. | ||||||
Custom JDBC Username | Database username. Example: Only applicable to "Custom Datasource" option. | ||||||
Custom JDBC Password | Specified database user's password. Only applicable to "Custom Datasource" option.
| ||||||
Use AJAX for cascade options? | When checked, this allows these fields to dynamically load available options based on the other field value (grouping column) when dealing with tremendous amount of selections. Read more at Ajax Cascading Drop-Down List.
| ||||||
Add Empty Option | Click this checkbox if you want an empty option in the selectbox. Clicking this option will display the following field:
| ||||||
Empty Option Label | Adds label to the empty option | ||||||
SQL SELECT Query |
To populate a selectbox, for example, you need to return at least 2 columns. The first column is used for Id. The second column is used for Label.
When Use AJAX for cascade options is checked, make sure that a question mark is placed within the query.
On multi-select box form element on cascade and when using JDBC, remember to use brackets to enclose the ? parameter in
|