0 votes


In the EDN, we can see that using parameter in runquery is a security reason to avoid sql injections.

I'm asking me what happend if our query have no parameter ?
Must we add a fake parameter in our query like where 1 = :param1 (and ofcourse in params, param1 = 1 ) ?


asked in Efficy/ Client side by (367 points)

2 Answers

+1 vote
Best answer


SQL injections occur when query parameters are passed directly into the query string. Example:

var input = request.content.param; // "1;DROP TABLE ACTIONS;--";


Separating the query string from the query parameters values make this kind of injections impossible, as the parameters will be escaped properly.

If the query has no parameters, there is no need to add a "fake" one because no "potentially malicious" parameters will be added in the query string, and therefore there is no risk of SQL injections.


answered by (663 points)
selected by
0 votes

Starting from Efficy 11.2 (latest version), you can use <#SQLFragment> to work with query parameters that are provided via the URL. You can select between two alternatives for when there is no parameter

  1. Provide a standard value, via the text attribute
  2. Don't render the SQL Fragment, via the optional attribute

SQL Fragments are very powerfull query features and especially now with the optional attribute, can help a lot to construct Efficy and SQL queries.

answered by (7.4k points)
1,249 questions
1,518 answers
328 users