Info for anyone developing Indicia reports.

To block a potential SQL injection attack risk, I've bumped up the sanitisation of all report parameters passed through to Indicia reports. This now means that the datatype of report parameters is used to sanitise parameter values, so you can't pass string data in number parameters etc. Although this particular change should not affect your reports, it does mean that it might break any reports which have the wrong datatype on their parameters (e.g. an integer datatype on what really should be a text parameter will now fail when passed something that is not a number).

There are also quite a few reports which accept a parameter to be used in an SQL in (...) filter, such as a list of taxon group IDs. In order that these should be sanitised properly, you will need to append [] to the datatype, e.g. integer[] or text[]. This tells the sanitiser to sanitise the elements in the list, not the entire list in one go.

I've reviewed all the reports in SVN, as well as any additional ones on the BRC live warehouse as best I can, but if you have other reports elsewhere then they might need to be reviewed.

Regards
John