Kentico version 12 - Portal Engine
I'm using a Custom Table Repeater web part that uses a querystring value in the Where clause to pull the correct custom table data. How can you ensure that a bad actor can't use this querystring variable to access data or damage the database? Does Kentico do this automatically? Our security scanning software is marking this as a sql injection vulnerability.
Where Condition: type = {%Querystring.Type%}
type = {%Querystring.Type%}
See the documentation on macros and security. There is also the SQLi described and there is the apostrophe escaping by default.
Please, sign in to be able to submit a new answer.