User`s guide
When you use a virtual table that was created as a Command, or when you use a Command from the
SAP BusinessObjects Enterprise Repository, Crystal Reports does not alter the syntax of the SQL
submitted to the server (that is, it does not automatically add quoting or escape characters). This
behavior also applies to parameters used in Commands. Therefore, you must add the quoting and
escape characters that are necessary for your database driver.
Note:
• Some of the Crystal Reports native database drivers do not support the Add Command feature:
• DB2 Server
• Sybase Server
• Informix Online Server
• The Add command feature is susceptible to SQL Injection attacks.
Many web pages use SQL Injection to insert user parameters into SQL queries that run against the
relational database. For example, a login webpage takes a user name and password and executes
an SQL Injection to the database to authenticate the information. An attacker can put a value in the
username or password field that adversely changes the SQL query that runs against the database.
23.2.5.1 To create a command object
1.
In the Database Expert, expand the Create New Connection folder and browse the subfolders to
locate your data source.
2.
Log on to your data source if necessary.
3.
Under your data source, double-click the Add Command node.
4.
In the "Add Command to Report dialog box", enter an appropriate query/command for the data
source you have opened.
For example:
SELECT
Customer.`Customer ID`,
Customer.`Customer Name`,
Customer.`Last Year's Sales`,
Customer.`Region`,
Customer.`Country`,
Orders.`Order Amount`,
Orders.`Customer ID`,
Orders.`Order Date`
FROM
Customer Customer INNER JOIN Orders Orders ON
Customer.`Customer ID` = Orders.`Customer ID`
WHERE
(Customer.`Country` = 'USA' OR
Customer.`Country` = 'Canada') AND
Customer.`Last Year's Sales` < 10000.
ORDER BY
Customer.`Country` ASC,
Customer.`Region` ASC
2012-03-14515
Understanding Databases