How can remove SQL Injection warning
Question

Hello everyone,

I am using Advance Query with Expand Inline Property : Yes But its showing warning 

Warning : Avoid enabling the Expand Inline Property of SQL Query Parameter since it could make your application vulnerable to SQL Injection.

How can we remove this warning .

Regards 

--RJ--


sqlwarning.PNG

Hi Rahul,

In your case you can add  VerifySqlLiteral() or the EncodeSql() functions  from the Sanitization Extension, to ensure it only contains valid SQL literals .

you can also refer this doc:

Injection and Cross Site Script (XSS) - OutSystems 

https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/SQL_Injection_Warning

https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html

Hope this helps.

Regards,

Samiksha.

Champion

HI Rahul Jain

If you must set Expand Inline Property to Yes for good reason(e.g.: Using in clause) you can hide these warnings.

Best Regards


hi Rahul,

You will need to wrap your input parameter/s of your Advanced query using EncodeSql() for which Expand Inline Property : Yes. With that the warning should go.

Like for ex EncodeSql(xyz)

Hope that helps.


Regards,

Shilpa Uppund

Hi Rahul,

In your case you can use VerifySqlLiteral() function to avoid warning.

For more detail please refer below documentation:

https://success.outsystems.com/Documentation/11/Reference/Errors_and_Warnings/Warnings/SQL_Injection_Warning


Regards

Shashikant Shukla


Hi Rahul,

Please refer below link, This helped me to solve the same issue.

https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way


Hope this helps you !

Regards,

Lakshmi Kumar

Hi Rahul,

This component there is a demonstration of the use of the EncodeSql().

https://www.outsystems.com/forge/component-overview/10200/sql-advanced-query-samples-for-dummies

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.