Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add sql injection protection to DnnSqlDataSource #168

Closed
iJungleboy opened this issue Feb 28, 2015 · 1 comment
Closed

Add sql injection protection to DnnSqlDataSource #168

iJungleboy opened this issue Feb 28, 2015 · 1 comment
Assignees
@iJungleboy
Labels
enhancement
Milestone
2sxc 7.0 - No-Cod...

Comments

@iJungleboy
Copy link
Contributor

Various Ideas

  1. Require sql to only include placeholders like @value1 @value2 etc. (or ?, ?, ?) and provide the resolution separately.
  2. Automatically convert all tokens in the SQL to parameters, and supply them separately (so the SQL would contain Select * from Events where CategoryId = [QueryString:CatId] - but would then be converted to Select * ... where CategoryId = @par1

I personally prefer #2, but there is a minor problem that you might otherwise write sql with quotes or merged strings like WHERE SomeColumn = 'InitialText' + '[QueryString:...]' which would require you to remove the quotes. So there may be a break between preparing SQL in another tool and copy/pasting it to the DnnSqlDataSource
@iJungleboy iJungleboy self-assigned this Feb 28, 2015
@iJungleboy
Copy link
Contributor Author

Added 2 layers in the EAV - one to prevent sql-string assembly and one to prevent insert/drop etc. statements in the SQL.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@iJungleboy iJungleboy

Labels
enhancement
Projects
None yet
Milestone
2sxc 7.0 - No-Code Apps
Development

No branches or pull requests
1 participant
@iJungleboy