dhis2-users team mailing list archive

Thread
Date

Re: Web API 'criteria' fails to recognize parameters with special characters

To: Sam Kasozi <kasozis@xxxxxxxxx>
From: Lars Helge Øverland <larshelge@xxxxxxxxx>
Date: Sun, 2 Nov 2014 10:13:35 -0500
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, Dhis2-users <dhis2-users-bounces+stephocay=gmail.com@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAB275o+yO=oFmg44QkrKGEAQG5=wUmYr4e9ntw2NYxjQqsYYoA@mail.gmail.com>

Hey Sam,

this is not documented, but we only accept a-z 0-9 / alphanumerical
characters + space for criteria filters and values. This is a security
measure to avoid SQL injection and other spooky stuff (think about someone
passing a drop table sql statement as a value). I think we can improve this
by coming up with a character white-list including dash. Input appreciated.

Lars


On Sun, Nov 2, 2014 at 10:03 AM, Sam Kasozi <kasozis@xxxxxxxxx> wrote:

> Hi Stephen,
>
> That might help in some scenarios, however in this case, a dash is one of
> the acceptable characters in a URL. Trying to encode it with '%2D' converts
> it back to a dash before being sent to the API.
>
> Sam Kasozi
> Information Systems Consultant
> HISP Uganda | GHSI - Uganda MOH - PH Emergency Operation Center
> +256 788 993565 | +256 757 662752
> kasozis@xxxxxxxxx | skasozi@xxxxxxxxxxx <kasozis@xxxxxxxxx> | Skype:
> sam.kasoziug
>
> On Sun, Nov 2, 2014 at 5:29 PM, <stephocay@xxxxxxxxx> wrote:
>
>> Sam, may be try encoding the URL ...
>>
>> Try reading about urlencode ... For an appropriate language
>>
>> Which language are you using?
>> Sent from my BlackBerry® smartphone provided by Airtel Uganda.
>>
>> -----Original Message-----
>> From: Sam Kasozi <kasozis@xxxxxxxxx>
>> Sender: "Dhis2-users"
>>  <dhis2-users-bounces+stephocay=gmail.com@xxxxxxxxxxxxxxxxxxx>Date: Sun,
>> 2 Nov 2014 17:14:58
>> To: dhis2-users@xxxxxxxxxxxxxxxxxxx<dhis2-users@xxxxxxxxxxxxxxxxxxx>
>> Subject: [Dhis2-users] Web API 'criteria' fails to recognize parameters
>> with
>>         special characters
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-users
>> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-users
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-users
> Post to     : dhis2-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-users
> More help   : https://help.launchpad.net/ListHelp
>
>

Follow ups

Re: Web API 'criteria' fails to recognize parameters with special characters
From: Sam Kasozi, 2014-11-02

References

Web API 'criteria' fails to recognize parameters with special characters
From: Sam Kasozi, 2014-11-02
Re: Web API 'criteria' fails to recognize parameters with special characters
From: stephocay, 2014-11-02
Re: Web API 'criteria' fails to recognize parameters with special characters
From: Sam Kasozi, 2014-11-02