preventing SQL injection

Post any questions you have about using the Verj.io Studio, including client and server-side programming with Javascript or FPL, and integration with databases, web services etc.

Moderators: Jon, Steve, Ian, Dave

Segi
Ebase User
Posts: 649
Joined: Mon Dec 09, 2013 6:37 pm

preventing SQL injection

#1

Postby Segi » Thu Jul 20, 2017 6:37 pm

This post http://forum.ebasetech.com/forum/viewto ... +injection mentions how you can prevent SQL injection.

Hovik sent me a Powerpoint document that goes into detail on how to prevent this.

The example in the doc uses an assisted SQL resource but I am using a native SQL resource.

"Use Prepared Statements" is checked for my DB resource.

The query is defined as

SELECT * FROM MyTable &&WHERECLAUSE

The resource field WHERECLAUSE has unique key, read only and persistent unchecked and dynamic SQL is checked

When I want to apply the filter, I am trying to follow the example in the Powerpoint doc so instead of doing:

Code: Select all

tables.MYDBRESOURCE.WHERECLAUSE.value="WHERE Status=" + fields.Status.value;
I changed it to:

Code: Select all

tables.MYDBRESOURCE.WHERECLAUSE.value="WHERE Status=&&Status";
Its implied in the powerpoint doc that the value of the status field would be safely substituted into this where clause but I am getting the error

Field substitution error, reference to field Status which does not exist in resource MYDBRESOURCE

I should mention that this where clause is going to be built based on the value of a few filters, not just one filter field.

What am I doing wrong ?
0 x

Jon
Moderator
Moderator
Posts: 1342
Joined: Wed Sep 12, 2007 12:49 pm

#2

Postby Jon » Fri Jul 21, 2017 6:51 am

Status must exist as a field in the Database Resource which should be marked as not persistent, and this field should be mapped to a form field.

Here's the standard doc: http://www.ebasetech.com/ebase/doc/Data ... c407616152
0 x


Who is online

Users browsing this forum: No registered users and 4 guests