Joget DX 8 Stable Released
The stable release for Joget DX 8 is now available, with a focus on UX and Governance.
Prevent SQL injection
When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query!
Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.
Example of VULNERABLE query:
SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id#'
To fix this, use ?sql hash variable escape:
SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id?sql#'
Database SQL Query List Action allows you to perform SQL queries on one (a row action) or more records (a bulk action) in your datalist. You can specify which database to perform the SQL function, either the current Joget database (default datasource) or a custom datasource (external database).
Database SQL Query List Action can be used to delete records or perform an update on one or more records based on user selection in the datalist checkboxes.
Figure 1 : Database SQL Query Action Menu
Figure 2 : Database SQL Query List Action
Properties
Name | Description |
---|---|
Label | Datalist button label. |
Confirmation Message | Confirmation message before performing action, for example "Are you sure?". |
Datasource | Target database to execute SQL statements on. Choices:-
|
Custom JDBC Driver | JDBC driver name. Example values:
Only applicable to "Custom Datasource" option. |
Custom JDBC URL | Database connection URL. Example: jdbc:mysql://localhost:3306/jwdb Only applicable to "Custom Datasource" option. |
Custom JDBC Username | Database username. Example: root Only applicable to "Custom Datasource" option. |
Custom JDBC Password | Specified database user's password. Only applicable to "Custom Datasource" option. Test the connection parameters Click on the "Test Connection" button at the bottom of the page to quickly test out your configurations. |
Query | If a column name contains reserved keywords, do ensure it is encapsulated properly. For example for MySQL, if the column identifier itself contains a dot symbol ( . ), it should be encapsulated like this: SELECT `myAppName.myColumn` FROM app_fd_myTable; Insert your SQL statement here. Use syntax like {id} in query to inject the selected row key. Use {uuid} to generate a unique id (or primary key). Examples: Example INSERT INTO app_fd_sample (id, c_clicked) VALUES ( {uuid}, {id} ) Example UPDATE app_fd_sample SET c_clicked = CONCAT(c_clicked, ',', {id}) WHERE id = {id} Example DELETE FROM app_fd_myTable WHERE id = {id} Table & Column Naming
How it works? The special parameters {id} and {uuid} will be replaced with actual values through the use of PreparedStatement. As you can see from the example above, there is no need to encapsulate both of these special keywords with quotes. |
APP_datalist_using_jdbc_dx_kb.jwa