[amform]

Hello,
I have a little problem, I'm doing a grid where I will have some depend fields, because I have several lists involve.
I already did the DB connection and it was fine. but after running the query (in the preview screen) if I click the dropbox I can see lines in blank( like the query result but not showing the strings). How can I solve this problem? should I populate the dropbox with a trigger instead?
Thanks for the help

[amosbatto]

You need to return two fields in your query if using a dropdown box, for both the value and the label. You can return the same for both:
SELECT X, X FROM MYTABLE WHERE Y=@@myField


If you post your SQL query, I might be able to figure out what is wrong. Also remember that @@myField is case sensitive. What type of field in your DynaForm is @@myField?

[amform]

thanks amosbatto.
I knew it was easy to solved. I was putting only the value for return without the label.

[amform]

In a related question,
If I want to put in the grid another dropbox but this one depending on the first one.
Is this the query that I should use?
SELECT ISSUE,ISSUE
FROM MY_TABLE
WHERE STAGE=@@tbStage
being @@tbStage the name of the first dropbox

[zainab]

Hello,
This would work perfectly fine.
On a safer side you should put @@tbstage in single quotes in the SQL query as it often causes a problem in mapping. Like,
SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE='@@tbStage'

[amosbatto]

On a safer side you should put @@tbstage in single quotes in the SQL query as it often causes a problem in mapping. Like,
SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE='@@tbStage'

Just to clarify, this query:

Code: Select all

SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE=@@tbStage

produces something like:

Code: Select all

SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE="value_in_field"

" (double quotations marks) are not standard SQL, but they seem to work in most databases to delimit strings.

If you want to conform to the SQL standard, then you should do it this way:

Code: Select all

SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE='@=tbStage'

It will produce a query like:

Code: Select all

SELECT ISSUE,ISSUE FROM MY_TABLE WHERE STAGE='value_in_field'

However, don't use this query if the user might enter ' (single quotation mark in the field.
ProcessMaker doesn't have any mechanism built-in to prevent SQL injection attacks, but you can add JavaScript code to the onchange event to automatically escape everything:

Code: Select all

function addslashes(str)
  return (str + '').replace(/[\\"']/g, '\\$&').replace(/\u0000/g, '\\0');
}

$("#fieldID").setOnchange( function(newVal, oldVal) {
    $("fieldID).setValue( addslashes(newVal) );
});

[zainab]

Thank you for clarifying Amos, my bad, instead of using @#tbStage or @=tbStage, I used @@tbStage.

[daBoomKing]

Hi Amosbatto

I hope you can clarify for me, the SQL injection thing is something I'm particularly worried about and have been concerned about it for a while but haven't seen anything written about it. The reason why is that as I have 3rd party users on the system.

If no server side protection against SQL injection, then wouldn't that mean virtually no protection? ie if its just protection built into the JS, that's not hard for an attacker to mess with and modify the JS at their end, or use whatever tools they use to break into the system quite easily?

Hope that makes sense.

Thanks
Andrew