cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
Incubu
Calcite | Level 5 Incubu
Calcite | Level 5

Put single quotes in variable values in a string

Posted 01-14-2020 02:42 AM (419 views)

Hello

 

For a sas/af application where the user can put free text related to variable values in a dataset, in order to make a sub-query in a WHERE statement, such as:

SEX=1 AND AGE>=16

 

I need to put quotes in the alphanumeric variable values and leave the numeric ones as they are. Lets say SEX is alphanumeric and AGE numeric, so the result should be:

SEX='1' AND AGE>=16

 

Of course there is a list of alphanumeric and numeric variables and all operators could be used ( = EQ,^= NE,¬= NE,~= NE,> GT,< LT,>= GE,<= LE, IN,& AND,| OR,! OR,¦ OR,¬ NOT,ˆ NOT,~ NOT).

 

Thanks in advance!

0 Likes
Reply
3 REPLIES 3
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Put single quotes in variable values in a string

Posted 01-14-2020 03:01 AM (400 views)  |   In reply to Incubu

So you want users to put in text that is later used in code? Ever heard of "code injection"? I don't want to be in your shoes when you have to explain to the auditors why the data warehouse needs to be rebuilt.

 

PS see https://xkcd.com/327/ 

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
Reply
Incubu
Calcite | Level 5 Incubu
Calcite | Level 5

Put single quotes in variable values in a string

Posted 01-15-2020 05:53 AM (353 views)  |   In reply to Kurt_Bremser
Thanks for the reply!
This application is restricted for internal users and code is audited before inserted in the query. Only code as described admited.
0 Likes
Reply
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Put single quotes in variable values in a string

Posted 01-15-2020 06:06 AM (351 views)  |   In reply to Incubu

If you audit the code anyway (which is a tedious process), you don't need that fancy stuff. Have users send you the code per email and run it. And if they are able to write that code, have them run it with their own account, which you can restrict appropriately so they don't cause havoc.

 

 

 

 

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
Reply

Ready to join fellow brilliant minds for the SAS Hackathon?

Build your skills. Make connections. Enjoy creative freedom. Maybe change the world. Registration is now open through August 30th. Visit the SAS Hackathon homepage.

Register today!
Mastering the WHERE Clause in PROC SQL

SAS' Charu Shankar shares her PROC SQL expertise by showing you how to master the WHERE clause using real winter weather data.

Watch Mastering the WHERE Clause in PROC SQL on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • ‎01-14-2020 02:42 AM
  • 420 views
  • 2 likes
  • 2 in conversation