Eclipse Community Forums: BIRT » prevent sql injection in dataset

Home » Archived » BIRT » prevent sql injection in dataset

prevent sql injection in dataset [message #1041001]

Sun, 14 April 2013 08:59

Eclipse User

Hi,

Used some days on this problem. searched the web without finding any clear answer. i have a question regarding preventing sql injection when running birt reports.

I build the queryText in 'beforeOpen'-event.

this is an example from my beforeOpen:
this.queryText="select * from MyTable where MyTable.Age=" + reportContext.getParameterValue('ageparam') + " and MyTable.EmployeeName = '" + reportContext.getParameterValue('name_param') + "'";

But i guess this leaves the sql open for sql injection. In Java, one can use prepared statements and by that prevent sql injection. But how to achieve this in Birt when using script in beforeopen?

Solutions ?
- replace all "evil"-characters (as ' and --) before adding paramter-values to the queryText ? not fool-proof i guess?
- is it possible to run preparedstatement with java from the before-open event on dataset ?
- is it possible to run something equal to java-preparedsatement with javascript from the before open event on dataset ?
- some other solution ?

[Updated on: Sun, 14 April 2013 09:04] by Moderator

Re: prevent sql injection in dataset [message #1044177 is a reply to message #1041001]

Thu, 18 April 2013 11:25

Eclipse User

You can use Java Objects as your data source in BIRT. The following link has an example of how to do this: www.vogella.com/articles/EclipseBIRT/article.html

Previous Topic:	NullPointerException in jar from Eclipse
Next Topic:	How to access report parameter default values from a DataSetWizardPage class?

Goto Forum:

-=] Back to Top [=-

Current Time: Thu May 15 10:13:19 EDT 2025

.:: Contact :: Home ::.

Breadcrumbs

Sign up to our Newsletter