Escape content!

  
Hi there,

I would like to know if there is any way of preventing the users of making searches using characters such as " or ' ....

these characters ruin all of my queries and my application crashes, obviously....

besides this, i would like to prevent people from using scripts and html input keywords when searching for something like "<script>alert('Your program is bugged!');</script>" ( this fire's up alert on submit...)

Thanks in Advance,
Pedro Barbosa



Hi Pedro,

OutSystems platform has some protection in the data layer that should prevent sql injection in simple queries. As for the javascript in unescaped expressions your best bet is to use the Regex_Search action in the Extension Text.

Cheers,
Tiago
Hello Pedro,

You may use one of the built-in functions to perform the required character escaping:

EncodeSql (text) - Returns a string with special characters translated in order to be used in SQL literals.

EncodeHtml (text) - Returns a string with all the reserved characters translated in order to be used in HTML literals.

These functions are available in the Expression Editor under Functions -> Text.

Best regards,

Paulo Almeida
> these characters ruin all of my queries and my application crashes, obviously....

such caracters only ruin your queries in a specific (not so frequent) situation where you use advanced queries with expand inline query parameters.
For such situations you should us the EncodeSql function to escape user input while composing the inline sql for the parameter.

As for "<script>..." tags they should only pose problems when you explicitelly use unescaped expressions in web. Again, in such situations you should use the EncodeHtml for the user input inside the html.

Are these situations frequent in your development?