Greetings,

                 I have an Input Parameter in my SQL Query which has a value of Session Variable and the inline property is set to yes, but it throws a warning(SQL Injection) as bellow attached image.

                 Even though the Inline argument is protected by EncodeSqL(SessionVariable) I am unable to run the Query.

Can someone please suggest what should be done for this(Inline property should be yes and i want my Query run)

First of all, sorry that it's hard to understand how to solve these warnings. OutSystems are working in improving them and updating both warnings and the documentation in the following weeks to address most of the confusion.


In your case, if before your query are doing an iteration on a list of integers or integer identifiers to concatenate a comma separated string, then the warning is a false positive. Since there is no chance for a end user to tamper it in a way that introduces a sql injection problem.

So for this particular case the best is to hide the warning.


Just to give bit more context about the EncodeSQL, since it was mentioned: doing EncodeSQL(ids) is wrong. It will make the warning disappear but it is not really protecting anything. We will add a new explicit warning for this scenario.

A correct usage for it would be if the ids were of type TextIdentifier. In that case the concatenations would have to look like:

csvIds = If(csvIds <>"", ",","") + "'" + EncodeSQL(List.Current.SomeTextId) +"'"

This would make your csvIds variable safe from sql injection problems but (on the current version) you would still need to hide the warning.