UserFile BAQ Parameter doesn't work after upgrade

I have a very simple BAQ:

select 
	[UserFile].[DcdUserID] as [UserFile_DcdUserID],
	[UserFile].[Name] as [UserFile_Name],
	[UserFile].[GroupList] as [UserFile_GroupList]
from Erp.UserFile as UserFile
where (UserFile.DcdUserID = @USERID)

image786×517 24.8 KB

It worked on 10.2.700. We upgraded to 2022.1.23, and now it doesn’t. It returns no rows. If I remove the criteria, it returns all rows as one would expect (so I guess not a new security restriction). If I change the parameter to a constant, it works as expected. If I change the = to <>, it returns all rows including the USERID. It’s like the Parameter part is corrupting the comparison data for this one table only. (We have hundreds of other BAQs against other tables that seem to be working fine.)

I’ve deleted and reconstructed the BAQ from scratch but no change… Anyone have any suggestions?

Thanks!
-Bruce

What happens if you change the operator from “=” to “LIKE”?

If it still comes up empty, try entering % when prompted. That work?

Next try entering a known userid preceeded by a %, like %CKRUSEN. Then try with a trailing %, like CKRUSEN%. Then one more time with both %CKRUSEN%

That’s just to see if there is some sort of leading or trailing character.

Changing to LIKE and sending % as USERID returns… nothing

If I change it to the constant ‘%’, it returns all rows, as expected. It really seems like the parameters part is messed up… just in case someone sees something stupid I’m doing:

image1029×632 16.1 KB

FWIW sending blank in also returns no rows, not what I’d expect with ‘Skip condition if empty’ set.

You’ve tripped over unhandled SQL injection. Change your parameter name, @USERID is colliding with a software variable or function name.

You can confirm that by making a calculated text field whose value is @USERID - but don’t create the parameter with that name. You’ll get your user ID back.

That was it, changed the parameter name to USEREPICORID and all is well now. Thank you very much!