Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SSRS Parameter that give users options to insert values manual Expand / Collapse
Author
Message
Posted Wednesday, October 20, 2010 2:15 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Friday, February 21, 2014 1:26 PM
Points: 51, Visits: 213
I have a report where I want my users to insert their choice of account No on my parameter called account #. Using a muilt-value with drop-down is a good as we have a big list of account numbers. So the better way will be to give them an option to insert their own choice of account N0s. Can I get some help of how to do it.

Below is my clause for the parameter
[/quote]

Where A.acct_no in (@acct_no)

[quote]
Post #1007515
Posted Wednesday, October 20, 2010 7:15 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 4:38 AM
Points: 7,211, Visits: 6,353
Pitso,

You should be able to do it just fine using Parameters in SSRS, unless something changed in 2008 that I don't know about. I believe you make the value as Non-queried and they should be able to type in the value as they want.

The issue, though, is SQL Injection attacks. Google that phrase to understand just how major a problem this can be.

I don't know if SSRS can do this, but the best solution (if it can) is to design the parameter so it does a LIKE search as they start typing in numbers. The instant someone types 1, it pulls all the accounts beginning with 1, then when they add 2, the list narrows down to the 12... numbers, when they type 3, the list narrows down even further to 123... etc. That way, they can type in the number, but the parameter is filled in by the list and if the number they type doesn't exist, they can't enter in any injection attacks.


Brandie Tarvin, MCITP Database Administrator

Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
On LinkedIn!, Google+, and Twitter.

Freelance Writer: Shadowrun
Latchkeys: Nevermore, Latchkeys: The Bootleg War, and Latchkeys: Roscoes in the Night are now available on Nook and Kindle.
Post #1007705
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse