Add sql parameter support to essql expression #94457
Labels
enhancement
New value added to drive a business result
Feature:Canvas
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
loe:medium
Medium Level of Effort
Team:Presentation
Presentation Team for Dashboard, Input Controls, and Canvas
Elasticsearch SQL supports passing parameters to queries.
We should add an argument to the
essql
expression function that allows users to pass in parameters to the query.Some users are passing in parameters using the
urlparam
function and then passing that into the SQL function. This is particularly dangerous since there's no escaping in the SQL and SQL could be injected.Additionally, at the moment, if you're using a Canvas variable to modify your SQL query, you have to use the
string
expression function to do a bunch of complicated string concatenation that is very hard to read. If we passed in parameters, it would make using variables in your SQL much easier.The text was updated successfully, but these errors were encountered: