Execute User Created Dynamic SQL Statement

I have a need for user's to enter in a SQL SELECT statement to a text input and have it executed to display the results. I've been reading the documentation and forums but haven't been able to figure out the issue.

Of note, I have checked "Disable converting queries to prepared statements" for my resource BUT whenever I refresh the resource page is remains unchecked. Could this be part of my problem?

Hey @sbryfcz! This definitely sounds like you need to disable prepared statements :slight_smile: And for your second point, I believe only admins can make (and persist) this change. Do you know if you're an admin in your org?

Here's our blurb on prepared statements:

By default, all of our SQL queries are converted to prepared statements to prevent SQL injection, meaning that table/database names and SQL functions aren't able to be defined using a string created dynamically. The main reason we currently convert all statements into prepared statements, is so that users can't enter malicious syntax (like DROP TABLE) into the variable fields.

You can disable this setting in the resource setup, but keep in mind the potential of submitting dangerous SQL through any of the variables referenced in a query. Disabling prepared statements can also break other existing queries. If that's something you'd like to explore, I often recommend setting up another copy of a resource with that setting enabled to help limit the surface area that you have to keep in mind SQL injection for.

1 Like

Hello

Do you know if this improvement was applied?

I can't find any information anywhere

Hello! Are you looking for information on prepared statements? https://docs.retool.com/docs/sql-queries#security