[Advanced Filter Builder] SQL injection warning

Forge Component
(26)
Published on 15 Jan by João Pêgas
26 votes
Published on 15 Jan by João Pêgas

I'm attempting to use advanced filter builder, and I have it working in my application but I cannot find a way to resolve the SQL injection warnings related to Expand inline property.   Is there something I'm missing on this?


Solution

Hi Josh, 

Have you already tried to use EncodeSQL() function to secure values in your expression?

Solution

André Siébra wrote:

Hi Josh, 

Have you already tried to use EncodeSQL() function to secure values in your expression?

I'm pretty new to this, do I add EncodeSQL() in the advanced SQL query?   For example, at the end of the Advanced SQL query it has @AdvanceFilter  so I would add EncodeSQL(@AdvanceFilter) there?

Josh Herron wrote:

André Siébra wrote:

Hi Josh, 

Have you already tried to use EncodeSQL() function to secure values in your expression?

I'm pretty new to this, do I add EncodeSQL() in the advanced SQL query?   For example, at the end of the Advanced SQL query it has @AdvanceFilter  so I would add EncodeSQL(@AdvanceFilter) there?

You just need to encode the values coming from the server that compunds the filter, not the filter at all. 

exc.: "MYCOLUMN = " + EncodeSQL(VariableFromServer) + " AND 1 = 1" 


André Siébra wrote:

Josh Herron wrote:

André Siébra wrote:

Hi Josh, 

Have you already tried to use EncodeSQL() function to secure values in your expression?

I'm pretty new to this, do I add EncodeSQL() in the advanced SQL query?   For example, at the end of the Advanced SQL query it has @AdvanceFilter  so I would add EncodeSQL(@AdvanceFilter) there?

You just need to encode the values coming from the server that compunds the filter, not the filter at all. 

exc.: "MYCOLUMN = " + EncodeSQL(VariableFromServer) + " AND 1 = 1" 



I think I follow... just need to debug and step through and figure out exactly which function is setting those values.