Securing QueryString parameter in Repeater

Greg Woz asked on June 15, 2015 16:12


I am passing WHERE condition in repeater as follows: JobType LIKE '%{% QueryString.type %}%'

I would like to check if no malicious characters are stored within [type] parameter. Is there any Helper function I could use within WHERE clause of the repeater or any other way to secure it keeping the same solution (QueryString param embedded in WHERE clause)?

Recent Answers

Juraj Komlosi answered on June 15, 2015 17:41

Hi Greg,

In all built-in web parts are "WHERE" and "ORDER BY" web part properties protected against SQL injection automatically. If one of the mentioned web part properties contains macro, the macro result is sanitized to avoid SQL injection - apostrophes are escaped.

Your WHERE condition - JobType LIKE '%{% QueryString.type %}%' - is absolutely correct and safe. If you are interested in protection against SQL injection in Kentico, you can find helpful my blog post related to this topic.

Just be careful if you will work with WHERE condition like that - DocumentID = {%QueryString.documentid%}. In this case you cannot rely on system protection. Notice please that there are no apostrophes in specified condition so any escaping is useless. The only one solution here is to convert macro result to the appropriate data type, so it should look like that - DocumentID = {%ToInt(QueryString.documentid, 0)%}.

Hope it will help you.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on June 15, 2015 17:44

By default it will automatically be checked and invalid SQL characters escaped. You can read more details in the Kentico Security Whitepaper

0 votesVote for this answer Mark as a Correct answer

Greg Woz answered on June 17, 2015 12:09

Thanks Guys! I just performed quick XSS JavaScript injection that's why I created this post. Thank you.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.