Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » BIRT » prevent sql injection in dataset
prevent sql injection in dataset [message #1041001] Sun, 14 April 2013 12:59 Go to next message
nari noori is currently offline nari noori
Messages: 33
Registered: November 2012
Member
Hi,

Used some days on this problem. searched the web without finding any clear answer. i have a question regarding preventing sql injection when running birt reports.

I build the queryText in 'beforeOpen'-event.

this is an example from my beforeOpen:
this.queryText="select * from MyTable where MyTable.Age=" + reportContext.getParameterValue('ageparam') + " and MyTable.EmployeeName = '" + reportContext.getParameterValue('name_param') + "'";


But i guess this leaves the sql open for sql injection. In Java, one can use prepared statements and by that prevent sql injection. But how to achieve this in Birt when using script in beforeopen?

Solutions ?
- replace all "evil"-characters (as ' and --) before adding paramter-values to the queryText ? not fool-proof i guess?
- is it possible to run preparedstatement with java from the before-open event on dataset ?
- is it possible to run something equal to java-preparedsatement with javascript from the before open event on dataset ?
- some other solution ?

[Updated on: Sun, 14 April 2013 13:04]

Report message to a moderator

Re: prevent sql injection in dataset [message #1044177 is a reply to message #1041001] Thu, 18 April 2013 15:25 Go to previous message
Andrew Aiken is currently offline Andrew Aiken
Messages: 4
Registered: March 2013
Junior Member
You can use Java Objects as your data source in BIRT. The following link has an example of how to do this: www.vogella.com/articles/EclipseBIRT/article.html
Previous Topic:NullPointerException in jar from Eclipse
Next Topic:How to access report parameter default values from a DataSetWizardPage class?
Goto Forum:
  


Current Time: Wed Oct 01 22:39:27 GMT 2014

Powered by FUDForum. Page generated in 0.01533 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software