How do you prevent sql injection when using querystring values in the Where condition of a web part

Gregg Duncan asked on August 22, 2022 16:31

Kentico version 12 - Portal Engine

I'm using a Custom Table Repeater web part that uses a querystring value in the Where clause to pull the correct custom table data. How can you ensure that a bad actor can't use this querystring variable to access data or damage the database? Does Kentico do this automatically? Our security scanning software is marking this as a sql injection vulnerability.

Where Condition: type = {%Querystring.Type%}

Correct Answer

Juraj Ondrus answered on August 23, 2022 06:38

See the documentation on macros and security. There is also the SQLi described and there is the apostrophe escaping by default.

0 votesVote for this answer Unmark Correct answer

   Please, sign in to be able to submit a new answer.