Prevent SQL Injection for String statement in IN clause
Application Type
Traditional Web

Hi Team,

      I am passing text statements in IN clause for example "AND 26-09-2020 Outstanding item", so its showing SQL injection warnings, I know we have Build-in clause Text from sanitize API, but since its a complete string statement I think don't need to go with it,

      Also by using EncodeSQL() and VerifySQLliteral() facing some Exceptions so, is there any other way to remove this warning.

Thanks in Advance 

Balaji

yes of course,

you will have to split up your input parameter into the safe and unsafe part, the safe part (the one that users can't manually change) will be the entity name + attribute name + operator (all for example selected by dropdown by the user) and this safe part can be safely put on expand inline true, the second part will only hold the search value, free text entered by the user, and this should for safety reasons be left on expand inline false.

Dorine

Hi Balaji,

TrueChange will show the warning unless you apply the expression as they suggest for security reasons.

But if you are sure about the security of your expression, you can manually hide the warning:

Best regards

Hi Jose

Thanks for your suggestion, but I need a solution to get rid of the warning by making some action, hiding is not workable, do you have any other fix.

Thanks 

Balaji

Sorry but no. As you can see from the documentation SQL_Injection_Warning, they recommend using the expression the right way or hide the warning.

Hi Balaji,

I agree that you shouldn't just hide it, unless there is no way users can modify your search string.

What is the reason why you wouldn't just use the proposed BuildSafe_InClauseTextList ?

In case of your example of "AND 26-09-2020 Outstanding item" , what is the IN clause you are aiming at ?  Can you show screenprints of your SQL and of the parameters you pass into it ?

Dorine

Hi Dorine 

   You can see the where clause variables value that I am passing previously so it's given value perfectly but after using build in clause text from sanitization its giving same values with some single quotes but when I passing that values to sql output is 0 values, so how to fix it.

Best regards 

Screenshot20210719104149Gallery.jpg

Hi Balaji,

you are talking about an IN clause in this post, but that's not what you are looking for, you are trying to have a dynamic WHERE clause ???  

Please paste your SQL statement in here so we know exactly what you are trying to do.

Anyway, in you case, BuildSafe_InClauseTextList is absolutely not applicable, the purpose of that is to build a comma seperated list of values to be used in an IN clause in SQL, what is not what you are doing.

IF what you are trying to do is have dynamic conditions on any attribute, you could let the user select the attribute name instead of typing it in you search string, select the operator instead of typing it in your search string, and then pass 2 variables to your SQL : 

  • the first with the attribute name and the operator doesn't have direct user input, so you can safely expand inline and hide the warning
  • the second with only the search value, doesn't need expand inline

You might have to experiment a little with the different data types, but something like this should be doable.

Dorine


Hi Dorine 

  As you said the where clause not used in IN operator but in other area we using with In operator, any how in our case input variable is in YES expand inline parameter , so if I change it to NO out put not exist.

Regards 

Balaji

yes of course,

you will have to split up your input parameter into the safe and unsafe part, the safe part (the one that users can't manually change) will be the entity name + attribute name + operator (all for example selected by dropdown by the user) and this safe part can be safely put on expand inline true, the second part will only hold the search value, free text entered by the user, and this should for safety reasons be left on expand inline false.

Dorine

Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.