Old Forums
Search:
New features Please use http://kentico.uservoice.com as the primary place to submit your suggestions and allow others to vote for your ideas!
Version 6.x > New features > Would like to discuss SQL injection protection in web part properties View modes: 
User avatar
Certified Developer v6
Certified Developer v6
szarouski - 4/24/2012 9:12:41 AM
   
Would like to discuss SQL injection protection in web part properties
Hi,

On this page you can find section, which describes "SQL injection protection in web part properties". Idea is that by default where and orderby conditions will escape (') character with with two ('') characters, which prevent from sql injection attacks. I think this is great solution and also there is a way to customize "this.SQLProperties" property in code of the webpart to add/remove fields from filtering.
So I would like to suggest something that will be very useful for developers - in webpart properties add field (or maybe checkboxes) called MacroSqlEscape and allow developers to customize "this.SQLProperties" through this field. In this case developers can decide if they want to handle quotes escaping themselves or rely on Kentico. Also that will save time on editing webparts properties each time developer needs to change what should be filtered.

Hope that all make sense. Please let me know what you think and if it could be included in future release.

Thanks,
Sergey

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 4/25/2012 7:48:07 AM
   
RE:Would like to discuss SQL injection protection in web part properties
Hi,

I think it is a good idea. I have forwarded it to our developers as a requirement for next versions. We will see what and how it will be implemented.

Thank you!

Best regards,
Juraj Ondrus

Top