Page 1 of 1

How to prevent Sql injection in reports?

Posted: Thu Jan 31, 2019 11:38 am
by alireza_s_84
Hi:
If we use variables in query like this:

Code: Select all

SELECT * FROM People WHERE FirstName = {FirstName}
Every one can manipulate query or variable value and attack by sql injection.
we solve this by little hack by change onBeginProcessData event and add a custom property to event:

Code: Select all

viewer.onBeginProcessData = function (event) {
    var paramaters = event.paramaters = {};
    report.variables.keys.forEach((key, index, arr) => {
        if (index != arr.length - 1) {
            paramaters[key] = report.getVariable(key);
        }
    });
};

Then change our Data source query as:

Code: Select all

SELECT * FROM People WHERE FirstName = @FirstName
Then in server side convert it to SqlParameter and solve this problem.
Want to know if there is a better solution?

Re: How to prevent Sql injection in reports?

Posted: Mon Feb 04, 2019 8:25 am
by Lech Kulikowski
Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.

Re: How to prevent Sql injection in reports?

Posted: Tue Feb 05, 2019 9:46 pm
by alireza_s_84
Lech Kulikowski wrote: Mon Feb 04, 2019 8:25 am Hello,

If the parameter is processed using the report generator engine (the variable of the same name is created in the data dictionary), the values in the SQL queries will be escaped, for this is the option:
StiOptions.Engine.escapeQueryParameters
it is enabled by default

If the SQL parameters are replaced on the PHP server side, then there is no screening algorithm, in this case, you can control the values yourself since they are replaced with help php code.

Thank you.
Thanks a lot for answer.

Re: How to prevent Sql injection in reports?

Posted: Wed Feb 06, 2019 7:16 am
by Andrew
You are welcome!