Hi all,

I have a report based on an SQL query which contains an "in" expression which receives a list as a parameter. However, it's possible that the client passes an SQL query in the parameter, and Pentaho doesn't give any exception !
Is it possible to configure any sort of validation, in the action file for example? I can't use Secure Filter because my application calls Pentaho directly through HTTPClient. Besides this, Secure Filter just creates an input page.

Thanks in advance.

The reporting engine itself only supports Prepared-Statements, which are immune to any SQL injection.

So I assume you are talking about the XActions. In XActions, there are two ways to define parameters. One is a simple string replacement, allowing you to even rewrite the SQL query and the other is to use Prepared-parameters which get mapped into Prepared-statements (and therefore are also safe from Injections).

The general rule is: If you use plain parameters, then you are open to everything unless you validate the parameters with a "SecureFilterComponent" (or any other validation rule). The plain parameters have their uses in the more advanced scenarios, but in most cases, you should use prepared statements or at least a SecureFilterComponent before you do a query.

With great power comes great responsibility :D


PS: I'm moving this to the BI-Server section, as this is not related to the reporting engine at all.

Hi Taqua,

is it possivle to set validation rules in Eclipse Design Studio interface? With Secure Filter, for example, the window only allows you to specify the name of the parameters (Prompt for) and the prompt style.

Thanks.

Hi Taqua,

I want to pass Locale variable from my application and make them to select appropriate properties file. Can u tell me how can i pass Locale variable as dynamic param to XAction file?

Thanks,
Prabhakar.