Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Redash does not escape quotes in parameter values
See original GitHub issueRunning the following query:
SELECT '{{value}}'
With value being McDonald's will return an error, because ' is not escaped. We need to apply escaping and it needs to be query runner specific.
Current workaround is for the user to do the escaping when providing the value.
Issue Analytics
- State:
- Created 6 years ago
- Comments:17 (6 by maintainers)
Top Results From Across the Web
Query Parameters - Redash
Just toggle the Allow multiple values option and choose whether or not to wrap the parameters with single quotes or double-quotes. In your...
Read more >SQL error when using ALL in dashboard parameters
Hello,. I've only been working with Redash for a couple months so maybe the solution is easy. I keep getting a SQL error...
Read more >Queries with parameters not updating - Redash Discourse
Hello, I have chained queries where the primary query fetches data from an external database and returns a “long” table of results and...
Read more >Add New Parameter Type for `Escaped Text` - Feature Requests
I propose that redash should support a new parameter type “escaped-text” which would escape any single-quotes passed through the parameter.
Read more >Multiple select with $in is not working no matter what I tried
... its not working for me I have a list of drop down list, which reads from another query I removed the double...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Yes, it’s very annoying… We would like to use Redash for production environnement but it’s not possible because of this issue.
Though I am a bit hesitant to share at this point, I have come up with a couple commits that might be a start to solving this.
I started by reworking the parameter validation code a bit to simplify writing per type validation/normalization logic and to get a feel for that part of the code base. Before adding the escaping feature I added the unrelated feature of “Optional parameters” to get a better understanding of the interaction between frontend and the API, resulting in 3 main commits as well as a couple of smaller ones to fix some deprecation warnings.
I would not say this is ready for a PR yet, mostly because I feel like I am not comfortable with the codebase yet and I’d definitely not put everything in a single PR in the end.
It also only implements escaping for the PostgreSQL data source, but I guess adding it for your own data sources is not that big of a deal after checking out the
pg.pydiff. 😃My current set of changes is at https://github.com/solute/redash/tree/improve_query_params