You can use the following types of variables in your templates:

Column name variables

Column name variables allow you to display or retrieve the value of a data column. The column name must exactly match the column name in your table and be enclosed in square brackets. The column name variable is replaced by the value of that column.

For example, to display the value of the Order Number column in your email template:

Order Number is <<[Order Number]>>

Note: When a data column value is displayed in an HTML document, it is always HTML encoded. See Preventing cross-site scripting attacks using HTML encoding.

You can also display the value of a column both before and after it is updated.

Expression variables

Expression variables allow you to compute values. You can use any expression in an expression variable. The expression variable is replaced by the result of the expression's evaluation.

For example, you can display the result of the Amt column value times the Qty column value as follows:

<<[Amt] * [Qty]>>

Dereference expression variables

Use a dereference expression to display the value of a column in a referenced record using the following format:

[Column Containing Reference].[Column in Referenced Table]

For example, the email template for the Order Details table in the Order Capture sample app uses the following dereference expression:

<<[Product].[Price]>>

In this example, the expression retrieves the product's price from the Products table. Product is the name of a column of type Ref in the Order Details table that refers to the Products table. Price is the name of the column in the Products table that contains the product's price.

You can use dereference expressions when computing values. For example:

Total Amount: <<[Product].[Price] * [Quantity]>>

Built-in variables

Built-in variables enable you to access a set of values provided by AppSheet. Built-in variable names always begin with an underscore (_).

AppSheet provides the built-in variables in the following table. For more information, see Sending an email.

Built-in variable

Description

Example

<<_APPID>>

Application GUID (Globally Unique Identifier) that uniquely identifies your app.

8c26466f-1db0-4032-9c0f-40c2a588cf50

<<_APPNAME>>

Name of your app.

MyApp-10301

<<_APPOWNER>>

Owner ID of your app.

10301

<<_ATTACHMENTFILENAME>>

Archive attachment filename. See How the archive attachment file name is formed.

MyAttachmentName20190207_133355_804.pdf

<<_ATTACHMENTFILE_URL>>

Archive attachment file URL.

<<_ATTACHMENTFILE_WEB_LINK>>

Link to the archive attachment file. The attachment name is used as the hyperlink text.

Note: This variable can be used in a body or attachment template. It cannot be used in the Body property.

<<_ATTACHMENTNAME>>

Email attachment name.

<<_NOW>>

Current date and time

6/15/2021 1:45:30 PM

<<_ROWKEY>>

Key value of the added, deleted, or updated record.

<<_ROW_WEB_LINK>>

Link to the added or updated record in your app. For example, you can include this URL in an email to allow the email recipient to easily open the added or updated record.

Note: This variable can be used in a body or attachment template. It cannot be used in the Body property.

<<_ROW_WEB_URL>>

URL that refers to the added or updated record in your app. For example, you can include this URL in an email to allow the email recipient to easily open the added or updated record. The full URL is displayed.

<<_RULENAME>>

Name of the automation rule.

My Update Rule

<<_TABLENAME>>

Name of your table.

Orders

<<_TIMENOW>>

Current time.

1:45:30 PM

<<_TODAY>>

Current date.

6/15/2021

<<_UPDATEMODE>>

Name of the operation that triggered the automation rule.

Add, Delete, or Update

<<_USEREMAIL>>

Current user's email address.

jmorgan@google.com

<<_USERNAME>>

Current user's name.

Julie Morgan

Preventing cross-site scripting attacks using HTML encoding

AppSheet always HTML encodes field values when they are displayed in an HTML document. HTML encoding ensures that field values are displayed as simple text by the browser and that field values are not interpreted by the browser as HTML. This is essential to prevent Cross-site Scripting (XSS) attacks when a user enters JavaScript in a field, such as:

<script type="text/javascript">
function doSomethingEvil() { /* ... */ }
</script>

Did this answer your question?