prevent sql injection in dataset [message #1041001] |
Sun, 14 April 2013 12:59 |
nari noori Messages: 33 Registered: November 2012 |
Member |
|
|
Hi,
Used some days on this problem. searched the web without finding any clear answer. i have a question regarding preventing sql injection when running birt reports.
I build the queryText in 'beforeOpen'-event.
this is an example from my beforeOpen:
this.queryText="select * from MyTable where MyTable.Age=" + reportContext.getParameterValue('ageparam') + " and MyTable.EmployeeName = '" + reportContext.getParameterValue('name_param') + "'";
But i guess this leaves the sql open for sql injection. In Java, one can use prepared statements and by that prevent sql injection. But how to achieve this in Birt when using script in beforeopen?
Solutions ?
- replace all "evil"-characters (as ' and --) before adding paramter-values to the queryText ? not fool-proof i guess?
- is it possible to run preparedstatement with java from the before-open event on dataset ?
- is it possible to run something equal to java-preparedsatement with javascript from the before open event on dataset ?
- some other solution ?
[Updated on: Sun, 14 April 2013 13:04] Report message to a moderator
|
|
|
|
Powered by
FUDForum. Page generated in 0.03648 seconds