Creating reports and dashboards | Stimulsoft community forum

Reporting tool and data analytics tools for creating reports and dashboards in ASP.NET, ASP.NET MVC, .NET Core, Blazor, Angular, PHP, Python, WPF, JavaScript, and Java applications.
https://forum.stimulsoft.com/

How to prevent Sql injection in reports?

https://forum.stimulsoft.com/viewtopic.php?t=57143

Page 1 of 1

How to prevent Sql injection in reports?

Posted: Thu Jan 31, 2019 11:38 am
by alireza_s_84
Hi:
If we use variables in query like this:

Code: Select all

SELECT * FROM People WHERE FirstName = {FirstName}
Every one can manipulate query or variable value and attack by sql injection.
we solve this by little hack by change onBeginProcessData event and add a custom property to event:

Code: Select all

viewer.onBeginProcessData = function (event) {
    var paramaters = event.paramaters = {};
    report.variables.keys.forEach((key, index, arr) => {
        if (index != arr.length - 1) {
            paramaters[key] = report.getVariable(key);
        }
    });
};

Then change our Data source query as:

Code: Select all

SELECT * FROM People WHERE FirstName = @FirstName
Then in server side convert it to SqlParameter and solve this problem.
Want to know if there is a better solution?

Re: How to prevent Sql injection in reports?

Posted: Mon Feb 04, 2019 8:25 am
by Lech Kulikowski
Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.

Re: How to prevent Sql injection in reports?

Posted: Tue Feb 05, 2019 9:46 pm
by alireza_s_84
Lech Kulikowski wrote: Mon Feb 04, 2019 8:25 am Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.
Thanks a lot for answer.

Re: How to prevent Sql injection in reports?

Posted: Wed Feb 06, 2019 7:16 am
by Andrew
You are welcome!
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited