Old Forums
Search:
Portal Engine Questions on portal engine and web parts.
Version 5.x > Portal Engine > SQL injection problems View modes: 
User avatar
Member
Member
m.rutter - 3/10/2010 10:16:28 AM
   
SQL injection problems
Hi everybody.
I just made a new site with KCMS 5.0.

On a page I need to display a list of files from a Media Library.
So I placed a "Media files data source" webpart and a "Media gallery - file list" webpart.

In the data source's order by property, I inserted "{%oby|(default)filetitle%}" to allow ordering of files by query string. the query string will contain a parameter "oby" with the name of the field to use in the sort by clausole (default is filetitle).

The problem is that the link is so visible to end user that anyone can inject SQL code:

<my url>?oby=FileCreatedWhen%20desc;DELETE%20FROM%20Media_File


Does exists a default way to avoid this behavior?

Thank you for any idea.
Marcello
User avatar
Kentico Developer
Kentico Developer
kentico_helenag - 3/11/2010 9:48:15 AM
   
RE:SQL injection problems
Hello Marcello,


you could develop a custom macro and use it for Order by property (http://devnet.kentico.com/docs/devguide/appendix_a___macro_expressions.htm). It could check the current query string and get only the allowed characters. Then it could return the safe value for the Order by parameter.


Best regards,
Helena Grulichova

User avatar
Member
Member
m.rutter - 3/17/2010 6:06:12 AM
   
RE:SQL injection problems
Hi Helena, sorry for the delay and thank you for your message.
Well, I wrote macros in the past for other K's sites so I can apply your hint.

May I suggest to you to implement, in the future, default anti sql-injection filters for WHERE/ORDER BY and others SQL clauses?

Thank you,
Marcello
User avatar
Kentico Developer
Kentico Developer
kentico_helenag - 3/18/2010 8:09:58 AM
   
RE:SQL injection problems
Hi Marcello,

we will consider this feature. Thank you for your suggestion. You may also add the requirement at kentico.uservoice.com.

Best regards,
Helena Grulichova
User avatar
Member
Member
m.rutter - 3/18/2010 8:44:23 AM
   
RE:SQL injection problems
Of course, Helena. I will do it.

Sincerely,
Marcello
Top