SQL Query Unsafe Activity

Description:

Performs a SQL SELECT query on a database and returns a DataTable of results. This activity allows the SQL command to be specified by an input argument.

Inheritance Hierarchy:

System.Object
  System.Activities.Activity
    System.Activities.AsyncCodeActivity
      Geocortex.Workflow.Activities.SqlQueryUnsafe

The SQL Query Unsafe activity allows the SQL command to be determined at runtime by variables and expressions in the workflow. Do not use unsanitized values from untrusted sources to assemble the command.

Improper use of this activity can allow malicious users to perform SQL injection attacks that could compromise your database.

Do not use this activity unless you are 100% certain that your usage is not vulnerable to SQL injection.

Function:

This activity allows you to perform a parameterized SQL SELECT query on a database using an ADO.NET that is provided.

This activity has a subtle but important difference from the SQL Query activity.

In a Workflow:

You would use this activity to perform a query on a database and then pass the DataTable of results to other activities.

Properties:

Name Description

In Arguments

Command Text

The SQL query to issue. For example:

SELECT column1, column2, column3,... FROM table_name WHERE some_column = some_value

Do not use unsanitized values from untrusted sources to assemble the command.

Parameters

The parameters of the SQL statement.

When you configure the Parameters property, Workflow Designer opens a pop-up dialog where you enter the list of parameters. The parameters must agree with the Command Text parameters in name, type, and direction.

Misc

Command Timeout

The time in seconds to wait for the command to execute.

Connection Configuration Name

The name of the connection string specified in the application's configuration file (app.config or web.config) to use in order to open a database connection.

Connection String

The connection string to use in order to open a database connection.

Display Name

SqlQueryUnsafe

You can change the name of an activity to one that describes what it does. A descriptive name can make a workflow easier to interpret and maintain.

Provider Name

The provider name to use in order to open a database connection.

Out Arguments

Results

The results of the query as a DataTable.

Version Information:

Supported from: Geocortex Essentials 4.5.