Hi all,
I am getting the SQL injection warnings in the query. I read about the SQL warnings but all the information is about the In clause and order by clause. I am not sure how it will be helpful for me in my situation where my input parameter is the subquery. where expand property I need to be set to yes. I tried using encodesql and verifysqlliteral but it is also throwing invalid literal exceptions.
Please suggest ways to remove this warning. for query I am attaching the screenshot.
Thanks and regards,
Shraddha Kadam.
Hello, Shraddha.
If possible, send a screenshot of the warning.
Thanks and regards,Akshay Deshpande
this is my warning message.
Avoid enabling the Expand Inline property of a SQL Query Parameter since it could make your application vulnerable to SQL injection.
Thank you for revealing it.
This is due to you set Expand Line as true.
If possible, Please refer to this article. You will get your answer.
I hope this is helpful.Thanks and Regards,Akshay Deshpande
When you set parameter's expand attribute to true, the warning can't removed.
If you can guarantee there is no SQL injection' risk, then you can just hide this warning.
Kind Regards,
Hi Shraddha,
You can use VerifySqlLiteral() or the EncodeSql() functions from the Sanitization Extension, to ensure it only contains valid SQL literals .
you can refer this Documentation.
Hope it helps.
Hi,
You can check this documentation too on how to build Dynamic SQL statements correctly.
https://success.outsystems.com/Documentation/Best_Practices/Development/Building_Dynamic_SQL_Statements_the_Right_Way
Hope this can help.
Best regards,
Ricardo Pereira