|Preventing SQL Injection [message #656884]
||Mon, 28 February 2011 21:35
| Josh Hall
Registered: October 2010
Typically I use query parameters in my BIRT data sets to avoid SQL injection attacks:-|
where organization_id = ?
However, using the above example, if I need to allow 'All' organizations as a possible selection from the user, I (poorly) handle it like this:-
and I add the where clause manually in the event handler if the user actually selects an Organization.
dataSet.setQueryText(dataSet.getQueryText() + myWhereClauseIncludingUserEnteredData);
This leaves my reports vulnerable to injection attacks. Any suggestions on how to handle the 'All' option without the security risk of the injection attack?
Powered by FUDForum
. Page generated in 0.13156 seconds