Old Forums
Search:
API Questions on Kentico API.
Version 5.x > API > SQL Injection - TreeHelper.SelectNodes method View modes: 
User avatar
Member
Member
joserraff-hotmail - 10/8/2012 10:51:03 AM
   
SQL Injection - TreeHelper.SelectNodes method
Hi There,

I am facing a SQL Injection issue,

I have the following where clause in the selectNodes method:

drpVar.SelectedValue = var;
DataSet ds = TreeHelper.SelectNodes("/Global/Var/%", true, "custom.Var", "(DocumentName = '" + var + "')", "NodeOrder", 1, true);

If someone pass the single quote character ' into the var string, the TreeHelper.SelectNodes method raises an exception that exposes the sql query.

What would be the best method to avoid that?
Could you please provide a quick guide?

Thank you very much and best regards,
Joss

User avatar
Kentico Developer
Kentico Developer
kentico_ivanat - 10/10/2012 5:35:50 AM
   
RE:SQL Injection - TreeHelper.SelectNodes method
Hi,

in your code sample it is not visible how exactly is var variable generated.

It seems like you would not validate the input. Please take a look at security document (pages 14 and 15). It describes how to avoid of SQL injection in the custom code. Here is a summary of recommendations:


Protect dynamic parts in INSERT, UPDATE and DELETE queries with SQL parameters.
- Don’t ever use the exec() function in your SQL code.
- When you build a SELECT query in code, all used strings taken from external sources must be protected with Replace(“’”,”’’”).
- Always escape values from array(list, …) when you are getting them and putting them into a string (typically in foreach loops).
- Never rely on JavaScript validation. JavaScript is executed on the client side so the attacker can disable validation.
- When you work with other than string types, always convert data types to that type or validate the value via regular expressions.


Best regards,
Ivana Tomanickova
Top