Good Day,

I am a little concerned with SQL injection with regards to the exposed REST APIs connected to the Outsystems Database. Are these REST APIs already created as parameterized requests/prepared statements? 

Jerome Lieow

Hi Jerome,

The REST APIs by themselves do not connect directly to the database, there will be a explicit query in the exposed action that does that.

That said, all Aggregates and SQL nodes are always implemented using prepared statements with parameters to avoid any SQL injection issues.
The only exception is when for advanced scenarios on the SQL node you add an input with the "Expand inline" property set to "true" (false by default). In that case Service Studio even gives you a warning telling you that you need to escape the values passed.

João Rosado