A subclass of SqlHtmlRpt.pm which allows use of sqlon parameters,
which are meant to enhance sqlpn parameters in a safe manner.
Licensed under the same terms as Perl itself, with no warranty or claims of fitness for any particular use.
There are no additional properties beyond those declared by SqlHtmlRpt.
Overridden to define the fmt_param_o parameter type.
Implements the extension which is provided by this subclass. Returns the
substitutions in the passed arrayref. index is the number of the
parameter, the N in sqloN.
This module overrides or alters the operation of the following methods.
See SqlHtmlRpt for the basic concepts of operation. Performs additional
preprocessing on sqloN parameters, as they might be used in the context
of a HTML SELECT item, and renders them ``safe''... along with some
additional, useful cruft, of course.
CGI parameters are the same as for SqlHtmlRpt with the addition of
sqloN parameters.
This module introduces an additional template construct, the SQLON
comment block (and additional optional SQLON_X blocks). The SQLON
block is required for each sqlon parameter.
The purpose of these blocks is to define the allowable values for the
sqlon parameter and map those to substitution values. The substitutions
are performed before the template is deconstructed, so you can use
%%sqlxn%% substitutions within them.
Within each block, on a separate line, each allowable value is mapped to a substitution string as follows:
<value> = "<substitution>"
The original %%sqloN%% value is still available for substitution.
In addition, the following substitutions are available:
%%sql_opt_N%%SQLPN block will be
inserted here.
%%sql_opt_N_X%%SQLPN_X blocks will be inserted.
When the init CGI parameter is true, these additional substitutions are replaced with an empty string.
The sqlpN parameter variant (as opposed to the sqlsN and sqlnN
variants) is generally recognized (and documented) as unsafe unless additional
checking is done in the enclosing CGI.
Not that there aren't ways around this:
you may find a file called rpt-safe-sqlpn-hack.tmpl in this directory which
shows one way of rendering sqlpN parameters relatively safe without coding
it in the CGI wrapper. But it is a hack; sort of a fun hack, but nonetheless
a hack, and not particularly extensible.
If you don't trust the people creating the templates, then coding in the CGI wrapper is still the best answer.
If you do trust the people creating the templates (just not the (ab)users using them), then this extension is one possible answer. In particular, if you want to do wholesale alterations to the SQL statements which are executed based on some known set of possible values, this is a pretty elegant solution.
In addition to the previously mentioned file, you should find a file named
rpo-contact-field-sort.tmpl which accomplishes the same thing as
rpt-safe-sqlpn-hack.tmpl but utilizing the extensions in this module.
Want help? Fred Morris has been a licensed business in Seattle Washington since 1984. I have extensive experience writing and using reporting tools. I helped write Park Software's XENTIS report writer for OpenVMS (and the mother of all report wizards), working on its development off and on for about 8 years. Not only have I used XENTIS in production environments, I have extensive experience with a variety of SQL (and other) databases as well as with ACI's 4th Dimension and Microsoft's Access.
We can provide training, consulting and even do it all for you: contact us!