Home/ Questions/Q 7587713
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T19:44:33+00:00

Having some trouble getting BIRT to allow me to create a Data Set with

  • 0

Having some trouble getting BIRT to allow me to create a Data Set with Parameters that are set at run time.

The SQL that is giving me the error is:

...
FROM SPRIDEN, SPBPERS P, POSNCTL.NBRJOBS X, NHRDIST d1
where D1.NHRDIST_PAYNO between '@PAYNO_BEGIN' and '@PAYNO_BEGIN'
AND D1.NHRDIST_YEAR = '@YEAR'
...

I have my Report Parameters defined as PaynoBegin, PaynoEnd, Year

I also have a Data Set script set for beforeOpen as follows:

queryText = String (queryText).replace ("@PAYNO_END", Number(params["PaynoEnd"]));
queryText = String (queryText).replace ("@PAYNO_BEGIN", Number(params["PaynoBegin"]));
queryText = String (queryText).replace ("@YEAR", Number(params["Year"]));

The problem seems to be that the JDBC can’t get the ResultSet from this, however I have 10 other reports that work the same way. I have commented out the where clause and it will generate the data set. I also tried breaking the where clause out into two and clauses with <= and >=, but it still throws a ORA-01722 invalid number error on the line.

Any thoughts on this?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Two quite separate thoughts:

    1) You have single quotes around each of your parameters in the query, yet it appears as though each one is a numeric – try removing the single quotes, so that the where clause looks like this:

    where D1.NHRDIST_PAYNO between @PAYNO_BEGIN and @PAYNO_BEGIN
AND D1.NHRDIST_YEAR = @YEAR

    Don’t forget that all three parameters should be required. If the query still returns an error, try replacing @PAYNO_BEGIN, @PAYNO_BEGIN and @YEAR with hardcoded numeric values in the query string, and see whether you still get an error.

    2) You are currently using dynamic SQL – amending query strings to replace specified markers with the text of the entered parameters. This makes you vulnerable to SQL Injection attacks – if you are unfamiliar with the term, you can find a simple example here.

    If you are familiar with the concept, you may be under the impression that SQL Injection attacks cannot be implemented with numeric parameters – Tom Kite has recently posted a few articles on his blog about SQL Injection, including one that deals with a SQL Injection flaw using NLS settings with numbers.

    Instead, you should use bind parameters. To do so with your report, amend your query to include:

    ...
FROM SPRIDEN, SPBPERS P, POSNCTL.NBRJOBS X, NHRDIST d1
where D1.NHRDIST_PAYNO between ? and ?
AND D1.NHRDIST_YEAR = ?
...

    instead of the existing code, remove the queryText replacement code from the beforeOpen script and map the three dataset parameters to the PaynoBegin, PaynoEnd and Year report parameters respectively in the Dataset Editor. (You should also change any other replaced text in your query text to bind parameter markers (?) and map dataset parameters to them as required.)

    • 0