I recently designed some functionality for a Prison department, and i unwittingly named from one my functions Escape. This raised alarm bells in the system, and a couple of men in black, escorted me to an interview room.
I was questioned whether i put some back door functionality to allow unlawfuls to escape. Luckily, the following explanation got me out of jail (The MIB must of known some Siebel).
The functionality that i was building required me to look up a code, and get back the related description. The concept can be seen from the following example.
However the lookup value that i was using contained special key words and values which caused my query to fail.
[Fail Scenarios]
To understand whats happening, lets have a look at how Siebel generates the SQL
SearchSpec: [Type] = "MY_TYPE" AND [Value] = "Thomas" AND [Value] = "Dieter"
Siebel interprets "Thomas" and "Dieter" as two separate conditions and applies the "AND" operator
SearchSpec: [Type] = "MY_TYPE" AND ([Value] = "Thomas" OR [Value] = "Dieter")
In this case, Siebel predictably, takes "Thomas" and "Dieter" and applies the "OR" operator
This will fail.
I would expect this behaviour for SetSearchExpr, but not SetSearchSpec.
[Escape]
To correct this behaviour, we need to escape our search specs.
Heres how we do it.
The above function escapes any single quotes in the expression, wraps the entire search spec in single quotes, and also implicitly converts it to a string (This makes a good candidate for an eScript framework function)
So when you apply the above function to the sValue variable, Siebel will take the literal expression.
Unfortunately for me, i put this into a class called terrorist, and created a pointer to function called Escape.
In retrospect, i admit that does look suspicious, I'll think of better class names/function name combinations in future.
I was questioned whether i put some back door functionality to allow unlawfuls to escape. Luckily, the following explanation got me out of jail (The MIB must of known some Siebel).
The functionality that i was building required me to look up a code, and get back the related description. The concept can be seen from the following example.
function Lookup(sType,sValue) { var sDesc = ""; var oBO = TheApplication().GetBusObject("PickList Generic"); var oBC = oBO.GetBusComp("PickList Generic"); oBC.ActivateField("Type"); oBC.ActivateField("Value"); oBC.ActivateField("Active"); oBC.ActivateField("Description"); oBC.ClearToQuery(); oBC.SetViewMode(AllView); oBC.SetSearchSpec("Type", sType); oBC.SetSearchSpec("Value", sValue); oBC.SetSearchSpec("Active", "Y"); oBC.ExecuteQuery(ForwardOnly); if (oBC.FirstRecord()) sDesc = oBC.GetFieldValue("Description"); return sDesc; }
However the lookup value that i was using contained special key words and values which caused my query to fail.
[Fail Scenarios]
var sValue = "Thomas and Dieter"; var sValue = "Thomas or Dieter"; var sValue = "Dieter's the one with dimples"; Lookup("MY_TYPE",sValue);
To understand whats happening, lets have a look at how Siebel generates the SQL
var sValue = "Thomas and Dieter";
SearchSpec: [Type] = "MY_TYPE" AND [Value] = "Thomas" AND [Value] = "Dieter"
Siebel interprets "Thomas" and "Dieter" as two separate conditions and applies the "AND" operator
var sValue = "Thomas or Dieter";
SearchSpec: [Type] = "MY_TYPE" AND ([Value] = "Thomas" OR [Value] = "Dieter")
In this case, Siebel predictably, takes "Thomas" and "Dieter" and applies the "OR" operator
var sValue = "Dieter's the one with dimples";//Error
This will fail.
I would expect this behaviour for SetSearchExpr, but not SetSearchSpec.
[Escape]
To correct this behaviour, we need to escape our search specs.
Heres how we do it.
function Escape(v) { return "'" + v.replace(/'/g, "''") + "'"; }
The above function escapes any single quotes in the expression, wraps the entire search spec in single quotes, and also implicitly converts it to a string (This makes a good candidate for an eScript framework function)
So when you apply the above function to the sValue variable, Siebel will take the literal expression.
Unfortunately for me, i put this into a class called terrorist, and created a pointer to function called Escape.
terrorist.Escape
In retrospect, i admit that does look suspicious, I'll think of better class names/function name combinations in future.