#1 2019-03-21 21:22:12

hw
Member
Registered: 2018-12-24

Data source parameter in dynamic list through httpauthexport

Hi,

I understand that for "where xxx in (......)" to be safe from SQL injections, the $X{IN, ..., ...} function has to be used.  For $X{} to work, the parameter has to be a data source parameter.

I am using a dynamic list, accessing through the URL http://localhost:8080/reportserver/reportserver/httpauthexport?key=......

There is a problem.

If the parameter is absent from the URL, the default value for the parameter configured in ReportServer obviously goes into the query as expected.

If the parameter is present in the URL as has a value, the value apparently also goes into the query as expected.

However, if the parameter is present in the URL but does not have a value (that is, http://.....?....&p_parameter=), how should this condition be handled in the query?

According to the Jasper documentation (I guess ReportServer uses the Jasper engine to process $X{}), if the parameter is null, $X{IN,....,....} evaluates to true.  But I would like to get a false instead, because a true will return all rows from the table.

I have tried adding conditions like "$P{parameter} is not null" and "$P{parameter} <> ''" in the query, to aid $X{IN,.....}, but they seem to always give true as well.

So, the question is, what should I do to detect the condition of the parameter being present in the URL but does not have a value?  If ReportServer can pass in the configured default value in this case, it will be good, but how to do this?

Thanks.

Offline

#2 2019-03-27 08:16:16

Patryx
Member
Registered: 2019-03-25

Re: Data source parameter in dynamic list through httpauthexport

I have a similar problem with passing parameter via URL which I use in $X{}. I want to use "6.11.4. Embedding the Report Execution View" - so I need to change '=' to ':' when it comes to parameters in url.
Have you found the solution?
How do you pass datasource parameter in URL? Are you sure that only datasource parameter can be an array?
In my case it doesn't work at all (I tried p_parameter:123|213).
I would be grateful for example.

Last edited by Patryx (2019-03-27 08:18:07)

Offline

#3 2019-03-27 11:05:23

eduardo
Administrator
Registered: 2016-11-01
Website

Re: Data source parameter in dynamic list through httpauthexport

Hi hw,

we see the issue. With this URL, I can see two cities:
http://.../reportserver/httpauthexport?id=2127159&user=root&apikey=myapikey&format=PDF&p_cities=Miami|London
this is correct.
If I change the URL to:
http://.../reportserver/httpauthexport?id=2127159&user=root&apikey=myapikey&format=PDF&p_cities=
I see all cities.

You mention the Jasper documentation. Can you please share the link where you can read this?
I raised ticket RS-3372 for this. In the meanwhile, you can use a similar URL as: http://.../reportserver/httpauthexport?id=2127159&user=root&apikey=myapikey&format=PDF&p_cities=null

@Patryx: please open a new thread for unrelated questions. The question here was why deleting the parameter values in the URL all values are being shown. This is unrelated to your question.
Anyway, this url is working for me:
http://.../ReportServer.html#inlinereport/id:2127159&p_cities:Miami|London
If this doesn't work for you, please make a new thread and post your exact reportserver version (rsversion.properties) and the exact url you are using.

Regards,
Eduardo

Offline

Board footer

Powered by FluxBB