I recently designed some functionality for a Prison department, and i unwittingly named from one my functions Escape. This raised alarm bells in the system, and a couple of men in black, escorted me to an interview room.

I was questioned whether i put some back door functionality to allow unlawfuls to escape. Luckily, the following explanation got me out of jail (The MIB must of known some Siebel).

The functionality that i was building required me to look up a code, and get back the related description. The concept can be seen from the following example.
function Lookup(sType,sValue) {
var sDesc = "";
var oBO = TheApplication().GetBusObject("PickList Generic");
var oBC = oBO.GetBusComp("PickList Generic");


oBC.SetSearchSpec("Type", sType);
oBC.SetSearchSpec("Value", sValue);
oBC.SetSearchSpec("Active", "Y");

if (oBC.FirstRecord())
sDesc = oBC.GetFieldValue("Description");
return sDesc;

However the lookup value that i was using contained special key words and values which caused my query to fail.

[Fail Scenarios]
var sValue = "Thomas and Dieter";
var sValue = "Thomas or Dieter";
var sValue = "Dieter's the one with dimples";


To understand whats happening, lets have a look at how Siebel generates the SQL
var sValue = "Thomas and Dieter";

SearchSpec: [Type] = "MY_TYPE" AND [Value] = "Thomas" AND [Value] = "Dieter"

Siebel interprets "Thomas" and "Dieter" as two separate conditions and applies the "AND" operator

var sValue = "Thomas or Dieter";

SearchSpec: [Type] = "MY_TYPE" AND ([Value] = "Thomas" OR [Value] = "Dieter")

In this case, Siebel predictably, takes "Thomas" and "Dieter" and applies the "OR" operator

var sValue = "Dieter's the one with dimples";//Error

This will fail.

I would expect this behaviour for SetSearchExpr, but not SetSearchSpec.


To correct this behaviour, we need to escape our search specs.

Heres how we do it.
function Escape(v)
return "'" + v.replace(/'/g, "''") + "'";

The above function escapes any single quotes in the expression, wraps the entire search spec in single quotes, and also implicitly converts it to a string (This makes a good candidate for an eScript framework function)

So when you apply the above function to the sValue variable, Siebel will take the literal expression.

Unfortunately for me, i put this into a class called terrorist, and created a pointer to function called Escape.

In retrospect, i admit that does look suspicious, I'll think of better class names/function name combinations in future.

1 comment:

  1. thats too funnny and coincidental
    glad you got out of it ok


Comments are open to all, please make it constructive.