Put single quotes in variable values in a string

Incubu · Posted 01-14-2020 02:42 AM

Hello

For a sas/af application where the user can put free text related to variable values in a dataset, in order to make a sub-query in a WHERE statement, such as:

SEX=1 AND AGE>=16

I need to put quotes in the alphanumeric variable values and leave the numeric ones as they are. Lets say SEX is alphanumeric and AGE numeric, so the result should be:

SEX='1' AND AGE>=16

Of course there is a list of alphanumeric and numeric variables and all operators could be used ( = EQ,^= NE,¬= NE,~= NE,> GT,< LT,>= GE,<= LE, IN,& AND,| OR,! OR,¦ OR,¬ NOT,ˆ NOT,~ NOT).

Thanks in advance!

Kurt_Bremser · Posted 01-14-2020 03:01 AM

So you want users to put in text that is later used in code? Ever heard of "code injection"? I don't want to be in your shoes when you have to explain to the auditors why the data warehouse needs to be rebuilt.

PS see https://xkcd.com/327/

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX

Incubu · Posted 01-15-2020 05:53 AM

Thanks for the reply!
This application is restricted for internal users and code is audited before inserted in the query. Only code as described admited.

Kurt_Bremser · Posted 01-15-2020 06:06 AM

If you audit the code anyway (which is a tedious process), you don't need that fancy stuff. Have users send you the code per email and run it. And if they are able to write that code, have them run it with their own account, which you can restrict appropriately so they don't cause havoc.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX