How to prevent Sql injection in reports?

[alireza_s_84]

Hi:
If we use variables in query like this:

Code: Select all

SELECT * FROM People WHERE FirstName = {FirstName}

Every one can manipulate query or variable value and attack by sql injection.
we solve this by little hack by change onBeginProcessData event and add a custom property to event:

Code: Select all

viewer.onBeginProcessData = function (event) {
    var paramaters = event.paramaters = {};
    report.variables.keys.forEach((key, index, arr) => {
        if (index != arr.length - 1) {
            paramaters[key] = report.getVariable(key);
        }
    });
};

Then change our Data source query as:

Code: Select all

SELECT * FROM People WHERE FirstName = @FirstName

Then in server side convert it to SqlParameter and solve this problem.
Want to know if there is a better solution?

[Lech Kulikowski]

Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.

[alireza_s_84]

Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.

Thanks a lot for answer.

[Andrew]

You are welcome!