SQL Injection Warning in SilkUI sample, please advise how I can solve this...

SQL Injection Warning in SilkUI sample, please advise how I can solve this...

  

Hi, I'm using one of silkUI templates and I have encountered the following warning that I am unable to solve. Can somebody please point me to the right direction please?

----------

SQL Injection
Ensure the expand inline argument is protected by using EncodeSql(), or VerifySqlLiteral() from the Sanitization extension, to avoid security flaws.

----------


When I double clicked to see what the warning is referring to, it refers me to something named:

SyntaxEditor Code Snippet



ColaboratorsToDelete

and the statement is:


DELETE FROM {ProjectColaborator}
WHERE {ProjectColaborator}.[ColaboratorId] IN (@ColaboratorsList)
AND {ProjectColaborator}.[ProjectId] = VerifySqlLiteral(@ProjectId)
Solution

Hi Connie,

You can use EncodeSql(INPUT) in the advanced sql parameters that you posted in your screenshot. So for ColaboratorsList you should give the input EncodeSql(ColaboratorsToDelete).

Solution