topic Re: Put single quotes in variable values in a string in New SAS User

Put single quotes in variable values in a string

Incubu — Tue, 14 Jan 2020 07:42:20 GMT

Hello

For a sas/af application where the user can put free text related to variable values in a dataset, in order to make a sub-query in a WHERE statement, such as:

SEX=1 AND AGE>=16

I need to put quotes in the alphanumeric variable values and leave the numeric ones as they are. Lets say SEX is alphanumeric and AGE numeric, so the result should be:

SEX='1' AND AGE>=16

Of course there is a list of alphanumeric and numeric variables and all operators could be used ( = EQ,^= NE,¬= NE,~= NE,> GT,< LT,>= GE,<= LE, IN,& AND,| OR,! OR,¦ OR,¬ NOT,ˆ NOT,~ NOT).

Thanks in advance!

Re: Put single quotes in variable values in a string

Kurt_Bremser — Tue, 14 Jan 2020 08:02:34 GMT

So you want users to put in text that is later used in code? Ever heard of "code injection"? I don't want to be in your shoes when you have to explain to the auditors why the data warehouse needs to be rebuilt.

PS see https://xkcd.com/327/

Put single quotes in variable values in a string

Incubu — Wed, 15 Jan 2020 10:53:43 GMT

Thanks for the reply!
This application is restricted for internal users and code is audited before inserted in the query. Only code as described admited.

Re: Put single quotes in variable values in a string

Kurt_Bremser — Wed, 15 Jan 2020 11:06:56 GMT

If you audit the code anyway (which is a tedious process), you don't need that fancy stuff. Have users send you the code per email and run it. And if they are able to write that code, have them run it with their own account, which you can restrict appropriately so they don't cause havoc.