I was questioned whether i put some back door functionality to allow unlawfuls to escape. Luckily, the following explanation got me out of jail (The MIB must of known some Siebel).
The functionality that i was building required me to look up a code, and get back the related description. The concept can be seen from the following example.
function Lookup(sType,sValue) { var sDesc = ""; var oBO = TheApplication().GetBusObject("PickList Generic"); var oBC = oBO.GetBusComp("PickList Generic"); oBC.ActivateField("Type"); oBC.ActivateField("Value"); oBC.ActivateField("Active"); oBC.ActivateField("Description"); oBC.ClearToQuery(); oBC.SetViewMode(AllView); oBC.SetSearchSpec("Type", sType); oBC.SetSearchSpec("Value", sValue); oBC.SetSearchSpec("Active", "Y"); oBC.ExecuteQuery(ForwardOnly); if (oBC.FirstRecord()) sDesc = oBC.GetFieldValue("Description"); return sDesc; }
However the lookup value that i was using contained special key words and values which caused my query to fail.
[Fail Scenarios]
var sValue = "Thomas and Dieter"; var sValue = "Thomas or Dieter"; var sValue = "Dieter's the one with dimples"; Lookup("MY_TYPE",sValue);
To understand whats happening, lets have a look at how Siebel generates the SQL
var sValue = "Thomas and Dieter";
SearchSpec: [Type] = "MY_TYPE" AND [Value] = "Thomas" AND [Value] = "Dieter"
Siebel interprets "Thomas" and "Dieter" as two separate conditions and applies the "AND" operator
var sValue = "Thomas or Dieter";
SearchSpec: [Type] = "MY_TYPE" AND ([Value] = "Thomas" OR [Value] = "Dieter")
In this case, Siebel predictably, takes "Thomas" and "Dieter" and applies the "OR" operator
var sValue = "Dieter's the one with dimples";//Error
This will fail.
I would expect this behaviour for SetSearchExpr, but not SetSearchSpec.
[Escape]
To correct this behaviour, we need to escape our search specs.
Heres how we do it.
function Escape(v) { return "'" + v.replace(/'/g, "''") + "'"; }
The above function escapes any single quotes in the expression, wraps the entire search spec in single quotes, and also implicitly converts it to a string (This makes a good candidate for an eScript framework function)
So when you apply the above function to the sValue variable, Siebel will take the literal expression.
Unfortunately for me, i put this into a class called terrorist, and created a pointer to function called Escape.
terrorist.Escape
In retrospect, i admit that does look suspicious, I'll think of better class names/function name combinations in future.
thats too funnny and coincidental
ReplyDeleteglad you got out of it ok