Using Input Parameters as SQL Query Parameters
You can insert the value of an Input block as a value for a condition in a SQL statement by typing in :input-block-name as shown in this example:
Note: Using this syntax to supply input parameters to a SQL query removes any risk of an Internet attack known as SQL Injection.
In this example, the parameter value is a string that must include the % symbol for the query to work properly:
To use input parameters in a SQL statement:
1. You
must add the
Input block(s) to the mashup before you enter the SQL statement. See
Add Input Parameters for more information.
3. Then enter the SQL statement in the Enter SQL Statement property using the input parameter names you have assigned.