Does anyone know if the platform actions for creating/updating entities check for SQL injection in text fields?
For example, suppose we have an entity called Person and 2 attributes for it: Name (Text datatype) and BirthDate (Date datatype). The platform will automatically create several associated functions, such as createPerson(), which we will use to add one more record to the associated database table.
I know the platform will check BirthDate values to see if they really belong to the Date datatype but what about the Name values? Being Text, our user could enter malicious SQL injection in that field. Must we invoke the 'EncodeSql()' explicitly before calling the (for example) createPerson() function?
Thanks you for any thoughts about this subject,
cannot find the documentation, but afaik, encodesql is only needed for advanced queries.
the normal create/update are generated and already covering encoding..
for the record, here's the pdf on the security of
Thanks for your answer! I've made a few simple tests and the platform-generated actions for creating entites do perform SQL encoding of fields having the Text datatype.
I believe care must taken only when using advanced queries having input parameters with the 'Expand Inline' attribute set to 'Yes'.
That is correct. That toggle turns off treating it as a SQL parameter and directly inject the value into the SQL .
The OutSystems Platform uses bind variables for parameters in Simple and Advanced Queries and Aggregates, which prevents any SQL injection in the queries. Only the Advanced Queries allows to set a parameter as "expand inline" which will translate into SQL statements, thus allowing for SQL injections.
This is valid for all supported database engines.
More information about this topic in http://www.outsystems.com/forums/discussion/2857/tip-how-to-avoid-code-injection-in-outsystems-applications/