| Warningpanel |
|---|
| borderColortitle | green |
|---|
| borderWidth | 1 |
|---|
| titleBGColor | #ddffcc |
|---|
| borderStyle | solid |
|---|
title | Definition| Prevent SQL injection |
|
When using Hash Variable that uses URL parameter or user-inputted value in the SQL query, ensure that these hash variable(s) are escaped in the query! Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.
Example of VULNERABLE query: SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id#'
To fix this, use ?sql hash variable escape: SELECT * FROM app_fd_sample_table WHERE c_value = '#requestParam.id?sql#'
|
Introduction
| English |
|---|
| JDBC Datalist Database Binder gives you the flexibility of designing a list datalist by using your own custom SQL query queries and database connection. |
| Panel |
|---|
| borderColor | purple |
|---|
| borderWidth | 1 |
|---|
| titleBGColor | #ddccff |
|---|
| borderStyle | solid |
|---|
| title | New Feature |
|---|
|
This feature has been enhanced in Joget Workflow v6. |
Image Removed
JDBC Datalist Properties
Configure JDBC Datalist Binder
Image Added
Figure 1: JDBC Datalist Database Binder Properties
| Name | Description |
|---|
| Datasource | Target database to execute SQL statements on. Choices:- - Custom Datasource
- JDBC Connection Parameters are needed for this choice.
- Default Datasource
|
By selecting Default Datasource, the - Points to the current database your copy of Joget
|
is currently using will be selectedCustom JDBC Driver. This field is required when Custom Datasource is selected in Datasource aboveJDBC driver name. Example values: - com.mysql.jdbc.Driver (MySQL)
- oracle.jdbc.driver.OracleDriver (Oracle)
- com.microsoft.sqlserver.jdbc.SQLServerDriver (Microsoft SQL Server)
Only applicable to "Custom Datasource" option. |
|
Custom JDBC URL. This field is required when Custom Datasource is selected in Datasource aboveCustom JDBC Username. This field is required when Custom Datasource is selected in Datasource aboveDatabase username. Example: root Only applicable to "Custom Datasource" option. |
|
Custom JDBC Password. This field is required when Custom Datasource is selected in Datasource aboveSpecified database user's password. Only applicable to "Custom Datasource" option.
| Info |
|---|
| title | Test the connection parameters |
|---|
| Click on the "Test Connection" button at the bottom of the page to quickly test out your configurations. |
|
| |
Query. (e.g. Select * from dir_user)
query to populate the datalist.
| Code Block |
|---|
| SELECT * FROM app_fd_myTable |
| Note |
|---|
If a column name contains reserved keywords, do ensure it is encapsulated properly. For example for MySQL, if the column identifier itself contains a dot symbol ( . ), it should be encapsulated like this: | Code Block |
|---|
| SELECT `myAppName.myColumn` FROM app_fd_myTable; |
|
| Info |
|---|
| title | Table & Column Naming |
|---|
| - For database tables created by Joget Forms, Joget adds a "c_" in front of table column names (or "t_" if your column name starts with a number) and "app_fd_" in front of database table names.
- If you use environment hash variables to store SQL query strings, use "?noescape" to escape SQL query strings in JDBC binders to prevent the "<>" "not equal" operator from being converted, i.e. disables XSS prevention checking. Read here for more information..
|
|
| Define the primary key column. By default, it should be "id". |
| Optimize query for paging | When checked, the binder only fetches selected page's items rather than the returning the whole data set |
for improved loading speedto optimize the performance for large dataset paging. |
Note: Only applicable to MYSQL and MSSQL target database.
| Info |
|---|
|
This is a new feature in Joget Workflow v6. |
Only works for MySQL and Microsoft SQL Server 2012 onwards. |
Related JDBC Binders & Useful Links
Download Demo App
APP_datalist_using_jdbc_dx_kb.jwa