← Back to team overview

dhis2-devs team mailing list archive

Re: Issue with date varibales for Sql View of type allows for variables

 

Hi Bharath,

sorry I know this is a bit unclear. For security purposes we have strict
checks on the URL variables to prevent malicious values from being executed
as SQL. We are currently only allowing alphanumeric values so it stopped
your dates since they have dashes inside. I have made two changes and
backported them to 2.20 now:

- For variable values we now allow characters, numbers, dash, underscore
and space.

- I have implemented better feedback so that the API will tell you which
variables are invalid in the response.

- I have also updated the docs to reflect this.

Please try again with latest 2.20.

regards,

Lars


On Tue, Sep 15, 2015 at 11:10 AM, Bharath <chbharathk@xxxxxxxxx> wrote:

> Thanks Knut. without dashes I am able to get the data.
>
> On Tue, Sep 15, 2015 at 1:18 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>
>> The dates should be like this: 20150101 and 20151231. Actually, the
>> manual is confusing on this point, as it starts with dashes:
>>
>> https://www.dhis2.org/doc/snapshot/en/developer/html/ch01s04.html
>>
>> On Tue, Sep 15, 2015 at 8:26 AM, Bharath <chbharathk@xxxxxxxxx> wrote:
>>
>>> Hi,
>>>
>>> I have created a sample sql view which has 2 variable parameters namely
>>> startDate and endDate. My sql view looks like:
>>>
>>>
>>> *SELECT dv.* from datavalue dv inner join period p on dv.periodid =
>>> p.periodid where p.periodtypeid = 8 and p.startdate >= '${startDate}' and
>>> p.enddate <='${endDate}' limit 500;*
>>>
>>> I am trying to pass these 2 date values from api url, but getting below
>>> error message:
>>>
>>> URI:
>>>
>>> https://apps.dhis2.org/demo/api/sqlViews/Eod3B6ET3dw/data.json?var=startDate:2015-01-01&var=endDate:2015-03-31
>>>
>>> Response:
>>> {
>>>
>>>    - httpStatus: "Conflict",
>>>    - httpStatusCode: 409,
>>>    - status: "ERROR",
>>>    - message: "SQL query contains variables which were not supplied in
>>>    request: [endDate, startDate]"
>>>
>>> }
>>>
>>> If I place these date values inside sqlview then I am able to get the
>>> result.
>>>
>>> Can you please help me to find where I am doing mistake. Thanks.
>>>
>>>
>>>
>>>
>>> --
>>>
>>> Regards,
>>> Bharath Kumar. Ch
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>>
>> --
>> Knut Staring
>> Dept. of Informatics, University of Oslo
>> Norway: +4791880522
>> Skype: knutstar
>> http://dhis2.org
>>
>
>
>
> --
>
> Regards,
> Bharath Kumar. Ch
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>


-- 
Lars Helge Øverland
Lead developer, DHIS 2
University of Oslo
Skype: larshelgeoverland
http://www.dhis2.org <https://www.dhis2.org>

Follow ups

References