Hello everyone,
I am using Advance Query with Expand Inline Property : Yes But its showing warning
Warning : Avoid enabling the Expand Inline Property of SQL Query Parameter since it could make your application vulnerable to SQL Injection.
How can we remove this warning .
Regards
--RJ--
Hi Rahul,
In your case you can add VerifySqlLiteral() or the EncodeSql() functions from the Sanitization Extension, to ensure it only contains valid SQL literals .
you can also refer this doc:
Injection and Cross Site Script (XSS) - OutSystems
https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/SQL_Injection_Warning
https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
Hope this helps.
Regards,
Samiksha.
HI Rahul Jain
If you must set Expand Inline Property to Yes for good reason(e.g.: Using in clause) you can hide these warnings.
Best Regards
hi Rahul,
You will need to wrap your input parameter/s of your Advanced query using EncodeSql() for which Expand Inline Property : Yes. With that the warning should go.
Like for ex EncodeSql(xyz)
Hope that helps.
Shilpa Uppund
In your case you can use VerifySqlLiteral() function to avoid warning.
For more detail please refer below documentation:
Shashikant Shukla
Please refer below link, This helped me to solve the same issue.
https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way
Hope this helps you !
Lakshmi Kumar
This component there is a demonstration of the use of the EncodeSql().
https://www.outsystems.com/forge/component-overview/10200/sql-advanced-query-samples-for-dummies