Portal Engine Questions on portal engine and web parts.
Version 7.x > Portal Engine > QueryString concerns. View modes: 
User avatar
Member
Member
vcarter - 10/21/2013 12:43:11 PM
   
QueryString concerns.
I am creating a user control that passes some parameters to a results page via querystring. The results page consists of a QueryDataSource connected to a repeater.

I have added custom code to the layout of the querydatasource to build the where clause based on the parameters selected:
<script runat="server">
protected override void OnLoad(EventArgs e)
{
string st = Request.QueryString["st"];
base.OnLoad(e);
where = " View_mediaasset_Joined.DocumentName LIKE '%" + st + "%'";
this.srcElem.WhereCondition = where;
}
</script>

This is a simplified version of what I am using. My concern is obviously SQL injection. I have seen several threads related to this but most were older and I am not sure what the best approach for this is with the current version of Kentico. Should I just do a replace looking for single quotes, does the latest version filter parameters passed this way, should I make them query parameters if so, what is the syntax for doing this dynamically.

Or is my approach flawed altogether.

Any assistance would be appreciated.

User avatar
Kentico Support
Kentico Support
kentico_jurajo - 10/21/2013 2:57:52 PM
   
RE:QueryString concerns.
Hi,

In this security whitepaper is described how to handle this using QueryHelper or ValidationHelper classes (you can also search the default web project files to see how they are used). Also, there is a video available that deals with the general security issues and how to handle them in Kentico. You can find the video here.

Best regards,
Juraj Ondrus

User avatar
Member
Member
vcarter - 10/21/2013 3:15:02 PM
   
RE:QueryString concerns.
Thank you very much jurajo. The information is very much appreciated.

User avatar
Kentico Legend
Kentico Legend
Brenden Kehren - 10/21/2013 3:54:25 PM
   
RE:QueryString concerns.
In addition to the good technical documentation Juraj showed, you can use a macro if you're setting a webpart property and sql injection is automatically handled for you. Simply use
ColumnName = {%QueryStringParameterName%}// no spaces
You can also check for null values.

You can also escape the injection check all together by using
|(handlesqlinjection)false?}
There is another good post here that talks about modifying it at the webpart level.