Skip to main content
Archived

Parameterized WHERE clause in database reader

Related products:FME Flow
  • February 11, 2016
  • 1 reply
  • 2 views
A
  • Anonymous

I have a script in FME Server that gets called by a URL with parameters for the WHERE clause. The querystring on the URL looks like this:

some_example.fmw?Year=2010&Neighbourhood=Kensington-Cedar%20Cottage

The WHERE clause in the database reader then looks like this:

neighbourhood = '$(Neighbourhood)' AND year(event_date) = $(Year)

As I understand it, there is no way to "parameterize" the WHERE clause to avoid an SQL injection attack. Since we are planning to expose our FME Server to the world, it would be great to have this ability in database readers.

This post is closed to further activity.
It may be a question with a best answer, an implemented idea, or just a post needing no comment.
If you have a follow-up or related question, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

1 reply

david_r
Celebrity
  • david_rCelebrity
  • February 12, 2016

Yes, please support bind variables in all SQL statements.

Helpful Members This Week

Community Stats

31,798
Posts
120,781
Replies
39,411
Members

Latest FME

Terms & ConditionsCookie settingsAccessibility statement

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.