How to prevent Sql injection in reports?
Posted: Thu Jan 31, 2019 11:38 am
Hi:
If we use variables in query like this:
Every one can manipulate query or variable value and attack by sql injection.
we solve this by little hack by change onBeginProcessData event and add a custom property to event:
Then change our Data source query as:
Then in server side convert it to SqlParameter and solve this problem.
Want to know if there is a better solution?
If we use variables in query like this:
Code: Select all
SELECT * FROM People WHERE FirstName = {FirstName}
we solve this by little hack by change onBeginProcessData event and add a custom property to event:
Code: Select all
viewer.onBeginProcessData = function (event) {
var paramaters = event.paramaters = {};
report.variables.keys.forEach((key, index, arr) => {
if (index != arr.length - 1) {
paramaters[key] = report.getVariable(key);
}
});
};
Then change our Data source query as:
Code: Select all
SELECT * FROM People WHERE FirstName = @FirstName
Want to know if there is a better solution?