Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Warning
titlePrevent SQL injection

When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query!

Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.

Example of VULNERABLE query :

SELECT * FROM app_fd_sample_table WHERE  c_value = '#requestParam.id#'

To fix this, use ?sql hash variable escape:

SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id?sql#'

Introduction


English

Database SQL Query, formerly known as JDBC Form Binder allows you to use custom SQL statements to retrieve and load records into your form fields. Similarly, you can write SQL statements to save the records in your form field into a database table.

Database SQL Query settings are located in the form PROPERTIES tab under "Advanced > Data > Load Data From & Save Data To". Database SQL Query replaces the standard Workflow Form Binder.

In load data, you only need to configure the datasource and SELECT query. In store data, you will need to write SQL statements for SELECT, INSERT, UPDATE, and DELETE database actions.

Database SQL Query has the following exception where this binder cannot be used (revert back to Workflow Form Binder):


  • Use of form element workflow variables. Database SQL Query will not populate or update the workflow variables.
  • Use of file and image attachment field elements. Database SQL Query will not handle the file retrieval or file transfer into Joget file storage.

...