I have a calculated view that I am trying to query from an XSJS service. The view has an input parameter "INPUT_ID" which comes from the request parameters. The following statement works in the SQL Editor:
SELECT * FROM "_SYS_BIC"."com.example/VIEW" ('PLACEHOLDER' = ('$$INPUT_ID$$', 'PARAM_VALUE'))My xsjs service is creating a prepared statement to execute the query:
conn.prepareStatement("SELECT * FROM \"_SYS_BIC\".\"com.example/VIEW\" ('PLACEHOLDER' = ('$$INPUT_ID$$', ?))");This fails with the error message:
dberror(Connection.prepareStatement): 257 - sql syntax error: incorrect syntax near \"?\": line 1 col 122 (at pos 122) at qp_gram.y:40889.
I'm able to execute the query if I build the query without using the prepared statement value substitution, but then it's vulnerable to SQL injection. Does anyone have a solution for this?
Thanks!