|prevent sql injection in dataset [message #1041001]
||Sun, 14 April 2013 08:59
| nari noori
Registered: November 2012
Used some days on this problem. searched the web without finding any clear answer. i have a question regarding preventing sql injection when running birt reports.
I build the queryText in 'beforeOpen'-event.
this is an example from my beforeOpen:
this.queryText="select * from MyTable where MyTable.Age=" + reportContext.getParameterValue('ageparam') + " and MyTable.EmployeeName = '" + reportContext.getParameterValue('name_param') + "'";
But i guess this leaves the sql open for sql injection. In Java, one can use prepared statements and by that prevent sql injection. But how to achieve this in Birt when using script in beforeopen?
- replace all "evil"-characters (as ' and --) before adding paramter-values to the queryText ? not fool-proof i guess?
- is it possible to run preparedstatement with java from the before-open event on dataset ?
- some other solution ?
[Updated on: Sun, 14 April 2013 09:04]
Report message to a moderator
Powered by FUDForum
. Page generated in 0.01481 seconds