public static DataTable GetDataTable(string tenant, string sql, ParameterInfo parameters)
{
/**************************************************************************************
* A Frapid report is a developer-only feature.
* But, that does not guarantee that there will be no misuse.
* So, the possible risk factor cannot be ignored altogether in this context.
* Therefore, a review for defense against possible
* SQL Injection Attacks is absolutely required here.
*
* Please do note that you should connect to Database Server using a login "report_user"
* which has a read-only access for executing the SQL statements to produce the report.
*
* The SQL query is expected to have only the SELECT statement, but there is no
* absolute and perfect way to parse and determine that the query contained
* in the report is actually a "SELECT-only" statement.
*
* Moreover, the prospective damage could occur due to somebody messing up
* with the permission of the database user "report_user" which is restricted by default
* with a read-only access.
*
* This could happen on the DB server, where we cannot "believe"
* that the permissions are perfectly intact.
*
* TODO: Investigate more on how this could be done better.
***************************************************************************************/
if (string.IsNullOrWhiteSpace(sql))
{
return(null);
}
//A separate connection to database using a restricted login is established here.
string connectionString = FrapidDbServer.GetReportUserConnectionString(tenant, tenant);
var site = TenantConvention.GetSite(tenant);
string providerName = site.DbProvider;
if (providerName == "Npgsql")
{
return(GetPostgresDataTable(connectionString, sql, parameters));
}
return(GetSqlServerDataTable(connectionString, sql, parameters));
}