Skip to main content

Reference

 

OutSystems

SQL Injection Warning

Message
Ensure the expand inline argument is protected by using EncodeSql(), or VerifySqlLiteral() from the Sanitization extension, to avoid security flaws.
Cause
The argument mentioned in the warning has a value that comes from user input and that is susceptible to contain malicious content.
Recommendation

Do one of the following:

  • If your Parameter is just a string literal disable the Expand Inline property of the Query Parameter.

Example:

SELECT {entity}.[attribute]
FROM {entity}
WHERE {entity}.[attribute] LIKE @parameter;

Where parameter is equal to the user defined Text Variable, variable:

parameter = variable
  • If your Parameter, parameter, contains an SQL clause that includes only string literals wrap the distrusted Variable in the EncodeSql() built-in function to escape certain characters (like single quotes, ').

Example:

SELECT {entity}.[attribute]
FROM {entity}
@parameter;

Where parameter is defined as a SQL clause that includes the user defined Text Variable, variable:

parameter  = "WHERE {entity}.[attribute] LIKE" + " ' " + EncodeSql(variable) + " ' "

Do not forget to wrap the EncodeSql() function in single quotes otherwise your query will still be vulnerable to SQL injection:
" ' " + EncodeSql(variable) + " ' "
  • If your Parameter contains an SQL clause that includes non-string literals wrap the distrusted Variable in the VerifySqlLiteral() function form the Sanitization Extension to ensure it only contains valid SQL literals.

Example:

SELECT {entity}.[attribute]
FROM {entity}
@parameter;

Where parameter is defined as a SQL clause that includes the user defined Integer Variable, integer-variable:

parameter  = "WHERE {entity}.[integer-attribute] = VerifySqlLiteral(integer-variable)
  • Was this article helpful?