0

Please look at the following code, If i do not perform the "Sanitary" steps in the function the code does not replace the string values.

can some one help me understand this?

Complete code :

<script type="text/javascript">
function replaceString(orgStr,oldStr,newStr){

//############# Sanitary Steps #############//
oldStr = oldStr .replace(/[ ]+/g,"$");
oldStr = oldStr .replace(/[$]+/g," ");
orgStr = orgStr .replace(/[ ]+/g,"$");
orgStr = orgStr .replace(/[$]+/g," ");
newStr = newStr .replace(/[ ]+/g,"$");
newStr = newStr .replace(/[$]+/g," ");
//############# Sanitary Steps #############//

orgStr = orgStr.replace(oldStr,newStr);
if(orgStr.indexOf(oldStr) != -1){
orgStr = replaceString(orgStr,oldStr,newStr)
}
return orgStr;
}
var fields = ['"Employee Expense Facts"."Total Expense"','"Expense Amount by Expense Type Facts"."Airfare Expense Amount"'];
var selectedField = 0;
var selectedField = 0;
var qry = 'SELECT rcount(1) s_0, "Employee Expenses"."Time"."Date" s_1, "Employee Expenses"."Employee Expense Facts"."Total Expense" s_2 FROM "Employee Expenses" WHERE ("Employee Expense Facts"."Total Expense" IS NOT NULL) ORDER BY 1, 2 ASC NULLS LAST WHERE ("Employee Expense Facts"."Total Expense" IS NOT NULL) ORDER BY 1, 2 ASC NULLS LAST';
qry = qry .replace(/[\n\t\r]+/g," ");
var qry2 = replaceString(qry,""+fields[0],""+fields[1]);
console.log(qry2);

</script>

Help me understand why I need to perform those sanitary steps??? I found the solution by just trial and error method.

aodz
  • 3
  • 1
  • 3
    Uh oh, SQL-Query in Javascript ... meep meep meep ... you have turned on the selfdestruction mode. – Christoph Jul 11 '12 at 07:36
  • 1
    What were you trying to do originally? Also it seems as if you construct an SQL statement in the browser which will probably be executed on a server, which is a huge no-no. – Otto Allmendinger Jul 11 '12 at 07:36

2 Answers2

1

My advise would be: Throw away all that code!

Now start again, handing the data from the client to the server via a normal formsubmit or an ajax call. Now process them serverside.

And always remember rule number one:

1) You can never trust all users to behave the way YOU want.

Thats why never ever create your SQL clientside!

Christoph
  • 50,121
  • 21
  • 99
  • 128
  • I am working with OBIEE webservices to get the SQL and change them using a fixed logic. User never even gets to see the SQL or alter it in any way. – aodz Jul 20 '12 at 07:17
  • That's what you might think, but every experienced user can fake those requests pretty easily altering the sql the way they want to. – Christoph Jul 20 '12 at 07:27
0

The Issue is in the SQL itself:

SELECT rcount(1) s_0,
       "Employee Expenses"."Time"."Date" s_1,
       "Employee Expenses"."Employee Expense Facts"."Total Expense" s_2 
FROM   "Employee Expenses" 
WHERE ("Employee Expense Facts"."Total Expense" IS NOT NULL)
       ORDER BY 1, 2 ASC NULLS LAST 
WHERE ("Employee Expense Facts"."Total Expense" IS NOT NULL)
       ORDER BY 1, 2 ASC NULLS LAST

I found out that there are double quotes which even after using escape characters are not replaced. I have tried replacing the (") with special characters and then performing the string replace and yet not able to do that successfully.

Whats surprising is if you create this function on the local HTML file this works without sanitary code. but when i upload the same code on the server it does not work. for that i had to put in place the sanitary lines.

If any one else figures out why this is caused please do let me know :)

thanks vx

Christoph
  • 50,121
  • 21
  • 99
  • 128
aodz
  • 3
  • 1
  • You could post this as another question in order to get some helpful answers. Users most likely won't visit a question with two (accepted) answers. – Christoph Jul 20 '12 at 07:29