Hi,

 

 

I'm not sure whether the SQL statement is correct, since not familiar with Postgres. But I guess FME has logged related error message when the SQL failed. Is there any hint in the error message?

 

 

Takashi

---

Hi,

 

 

this is, as you've noted, related to SQL injection attacks. The main problem is that the FME SQLExecutor doesn't bind variables, and as such all values are sent as string literals, leading to all kinds of potential problems. You therefore have to sanitze your attribute values before the SQLExecutor.

 

 

PostgreSQL and Oracle (and perhaps also other) supports an escaping mechanism that you might try. For PostgreSQL, I'd try dollar quoted string contants (http://www.postgresql.org/docs/current/static/sql-syntax-lexical.html#SQL-SYNTAX-DOLLAR-QUOTING), e.g.:

 

 

UPDATE function_program_data_function_structure

 

SET text_data = $my_string_tag$@Value(fs_10_10_10_10)$my_string_tag$

 

WHERE level_id=@Value(id) AND flag_no='10' AND group_no='10' AND group_element_no='10' AND field_no='10'

 

 

(For reference, this is the equivalent in Oracle (http://www.adp-gmbh.ch/ora/sql/q.html))

 

 

Please also consider writing Safe support to add your voice to the existing enhancement request for bind variables in the SQLExecutor :-)

 

 

David

---