Portal Engine Questions on portal engine and web parts.
Version 6.x > Portal Engine > Repeater WebPart Control Security issues View modes: 
User avatar
Member
Member
mca.saikat-gmail - 9/14/2012 11:05:32 AM
   
Repeater WebPart Control Security issues
if I use macros in repeater webpart is there any chance to get sql injection issues ?
Sometimes macros are not working on where condition and I am getting an error page.
Can you please suggest me the best

User avatar
Certified Developer 8
Certified Developer 8
Jiveabillion - 9/14/2012 2:56:28 PM
   
RE:Repeater WebPart Control Security issues
I'm not 100% sure if Kentico implements some sort of SQL Injection prevention when querying using the CMS Repeaters, but I think it does. The best way to test this is to try to inject some SQL yourself.

I do know that you need to write your queries that have macros in them in such a way that the query will not throw an error if the macro result is blank. I usually use single quotes like this '{%id%}' even if the column is an int. If you think hard enough about it, you can come up with many ways to deal with it.

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 9/14/2012 6:13:08 PM
   
RE:Repeater WebPart Control Security issues
Hi,

We are checking our code against SQLi - however if you are using e.g. a query string macros and sending there a string value - you need to ensure this on your own and you need to be aware of the risks. Best way is to use integers in the query string and then set the query string macro to expect just integer value using (int) parameter.

Also, on a similar topic, please see this.
And also there is a security white paper.

Best regards,
Juraj Ondrus