Securing QueryString parameter in Repeater

Hi Greg,

In all built-in web parts are "WHERE" and "ORDER BY" web part properties protected against SQL injection automatically. If one of the mentioned web part properties contains macro, the macro result is sanitized to avoid SQL injection - apostrophes are escaped.

Your WHERE condition - JobType LIKE '%{% QueryString.type |(identity)GlobalAdministrator%}.

Hope it will help you.

By default it will automatically be checked and invalid SQL characters escaped. You can read more details in the Kentico Security Whitepaper

Thanks Guys! I just performed quick XSS JavaScript injection that's why I created this post. Thank you.

Hello Greg, The only thing extra that I would suggest is to escape query suggested by Brendon like this, which he has already mentioned in his answer. I reached out to Kentico recently for a case where value of parameter "p" could have apostrophe like "Greg's". You may get an error/incorrect results as it will get evaluated. This is primarily dropped to avoid any SQL injection attacks.

{% if(SQLEscape(QueryString.GetValue("p")) == "RB") { "PostedBy = 'Ray Block'" } |(handlesqlinjection)false @%}

Laura's Article is an excellent premier on best parctices while creating secure filters

Kentico's article on SQL Injection attack

Let us know if it helps