Group by parameter

#1

Hi,
is it possible to use a paramter in a group by? I tried it, but he is not grouping the data. My code looks like this:

SELECT revenue
FROM packet
GROUP BY ‘{{time}}’

Goal: I want to use different dates from each packet. (e.g. packet_created, packet_sent, packet_returned). All dates are added as a colum for eacht packet
packet created_at packet_sent … revenue
1 01.04.2019 24. 04.2019 1000€

#2

This is possible. But your syntax is weird. GROUP BY accepts column names but you’ve passed it a string wrapped in quotes. Remove the quotes and see what happens.

#3

perfect. It works! thanks

1 Like
#4

That said - I believe in future redash intends to have better protection against SQL injection - which might break this sort of query…

There are still a few ways around this:

  • Refer to a column numerically, and let redash know that the parameter is a number:

SELECT packet_created, packet_sent, packet_returned, revenue FROM packet GROUP BY {{number}};

  • If your DB engine supports it - explicitly use dynamic SQL in your query and perform your own parameter checking. MySQL is certainly capable of this - although you’ll need https://github.com/getredash/redash/pull/3003 merged before Redash can use MySQL dynamic SQL functionality.
#5

We’re working to avoid this. For now this functionality is preserved, but if you have a text based parameter (i.e. any input) you won’t be able to share such query.If you were to use a drop down (with allowed column names), then it will all be fine.

#6

Out of interest, which side will ‘Query Based Dropdown List’ fall into?

#7

Query Based Drop Downs also considered safe.