Skip to main content
Archived

Parameterized WHERE clause in database reader

Related products:FME Flow
  • February 11, 2016
  • 1 reply
  • 9 views
A
  • Anonymous

I have a script in FME Server that gets called by a URL with parameters for the WHERE clause. The querystring on the URL looks like this:

some_example.fmw?Year=2010&Neighbourhood=Kensington-Cedar%20Cottage

The WHERE clause in the database reader then looks like this:

neighbourhood = '$(Neighbourhood)' AND year(event_date) = $(Year)

As I understand it, there is no way to "parameterize" the WHERE clause to avoid an SQL injection attack. Since we are planning to expose our FME Server to the world, it would be great to have this ability in database readers.

This post is closed to further activity.
It may be an old question, an answered question, an implemented idea, or a notification-only post.
Please check post dates before relying on any information in a question or answer.
For follow-up or related questions, please post a new question or idea.
If there is a genuine update to be made, please contact us and request that the post is reopened.

1 reply

david_r
Celebrity
  • david_rCelebrity
  • February 12, 2016

Yes, please support bind variables in all SQL statements.

Community Stats

32,207
Posts
122,305
Replies
39,891
Members

Latest FME

Terms & ConditionsCookie settingsAccessibility statement
A product of
Safe Software respectfully acknowledges that we live, learn and work on the traditional and unceded territories of the Kwantlen, Katzie, and Semiahmoo First Nations.