Old Forums
Search:
Bug reports Found a bug? Post it here please.
Version 5.x > Bug reports > TreeProvider.Select... and the where parameter, does it prepare statements for SQL Server? View modes: 
User avatar
Member
Member
michiel - 8/5/2010 10:04:05 AM
   
TreeProvider.Select... and the where parameter, does it prepare statements for SQL Server?
A while ago I asked the official Kentico support if Kentico was safe from SQL injection when using the TreeProvider or TreeHelper methods. I received the answer that it was indeed safe, leading me to believe that the where parameter doesn't need to special attention.

However, today I recieved the following exception:

[DataConnection.ExecuteQuery]: Query: SELECT TOP 2 * FROM View_Portfolio_Folder_Joined WHERE ((((Published = 1)) AND (DocumentCulture = N'nl-NL')) AND (NodeName = 'Detail foto's' AND NodeParentID = 59)) : caused exception: Incorrect syntax near 's'. Unclosed quotation mark after the character string ' AND NodeParentID = 59)) '.

I used overload 14 of TreeProvider.SelectSingleNode

So does or doesn't Kentico prepare statements before sending them to the database? It's important to know because of the risk of SQL injection attacks.

Thanks in advance for looking into this!

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 8/17/2010 7:58:14 AM
   
RE:TreeProvider.Select... and the where parameter, does it prepare statements for SQL Server?
Hi,

We are checking parameters like siteName, aliasPath, cultureCode, etc. but what is in the WHERE condition or ORDER BY is fully up to you. If these would be escaped, you won't be able to use something like this in where condition: (DocumentCulture = N'nl-NL')) AND (NodeName = 'Detail foto')

There is no way how to ensure this in general for every possible condition, so it is up to you what you will write in your code.

Best regards,
Juraj Ondrus

User avatar
Member
Member
michiel - 8/19/2010 4:25:14 AM
   
RE:TreeProvider.Select... and the where parameter, does it prepare statements for SQL Server?
I found this comment in another thread:


Hi,
It should be checked in API and all our controls. In case you have find some place where could be possible "hole" to the system or weak spot, please let us know so we can solve this problem.
Best Regards,
Zbysek Nemec.


http://devnet.kentico.com/Forums.aspx?forumid=41&threadid=8745
User avatar
Kentico Support
Kentico Support
kentico_jurajo - 8/20/2010 2:43:05 AM
   
RE:TreeProvider.Select... and the where parameter, does it prepare statements for SQL Server?
Hi,

Yes, that applies to system parameters or attributes. Not to custom WHERE condition where you can write what ever you want and it is fully up to you if you will write it SQL injection proof or not since that is your custom code and we can't be responsible for your code and mistakes. We can only check the system attributes where we are able to predict their format and awaited data, not custom conditions where you can write anything you like.

Best regards,
Juraj Ondrus

Top