SQL injection prevention question
MUHenry
July 30th, 2009
Hi Everyone
During the testing of a workflow, we found out that it was possible to do SQL injection into the fields.
What we have is a form that collects the user's NT ID, then it passes the NT ID to a "FindServiceDeskContact" component.
And it seems like if we input strings such as
NTID';delete * from table
it will try to run the query against the helpdesk incident's database.
Does any know if there is anyway of sanitizing the input?
thanks in advance.
Sanitizing data using a RegEx
Hello MUHenry,
I'm not sure if this is the best way to do it, but the following definitely works. Add a replace common pattern control to your workflow. Set the data you want to sanitize as the input variable name. Set Reg Exp to (Custom), set Regular expression to something like this [^0-9a-zA-Z], set the Replace Variable Name to dynamic value (without any content) and set the output variable name (e.g. to sanitizedNTid). Now use the sanitizedNTid in your FindServiceDeskContact component.
I hope this helps,
Best regards,
John
hi John, Thanks heaps for the
hi John,
Thanks heaps for the reply, that seems like a good method of sanitizing the input, I'll give it a shot.
Would you like to reply?
Login or Register to post your comment.