0 votes

Hi,

In the EDN, we can see that using parameter in runquery is a security reason to avoid sql injections.

I'm asking me what happend if our query have no parameter ?
Must we add a fake parameter in our query like where 1 = :param1 (and ofcourse in params, param1 = 1 ) ?

Regards,

asked in Efficy/ Client side by (336 points)

2 Answers

+1 vote
Best answer

Hi,

SQL injections occur when query parameters are passed directly into the query string. Example:

var input = request.content.param; // "1;DROP TABLE ACTIONS;--";

"SELECT * FROM ACTIONS WHERE K_ACTION= " + input;

Separating the query string from the query parameters values make this kind of injections impossible, as the parameters will be escaped properly.

If the query has no parameters, there is no need to add a "fake" one because no "potentially malicious" parameters will be added in the query string, and therefore there is no risk of SQL injections.

Cheers

answered by (659 points)
selected by
0 votes

Starting from Efficy 11.2 (latest version), you can use <#SQLFragment> to work with query parameters that are provided via the URL. You can select between two alternatives for when there is no parameter

  1. Provide a standard value, via the text attribute
  2. Don't render the SQL Fragment, via the optional attribute

SQL Fragments are very powerfull query features and especially now with the optional attribute, can help a lot to construct Efficy and SQL queries.

answered by (6.8k points)
1,165 questions
1,423 answers
1,713 comments
325 users