Securing QueryString parameter in Repeater

Greg Woz asked on June 15, 2015 16:12

Hello,

I am passing WHERE condition in repeater as follows: JobType LIKE '%{% QueryString.type %}%'

I would like to check if no malicious characters are stored within [type] parameter. Is there any Helper function I could use within WHERE clause of the repeater or any other way to secure it keeping the same solution (QueryString param embedded in WHERE clause)?

Recent Answers


Juraj Komlosi answered on June 15, 2015 17:41

Hi Greg,

In all built-in web parts are "WHERE" and "ORDER BY" web part properties protected against SQL injection automatically. If one of the mentioned web part properties contains macro, the macro result is sanitized to avoid SQL injection - apostrophes are escaped.

Your WHERE condition - JobType LIKE '%{% QueryString.type %}%' - is absolutely correct and safe. If you are interested in protection against SQL injection in Kentico, you can find helpful my blog post related to this topic.

Just be careful if you will work with WHERE condition like that - DocumentID = {%QueryString.documentid%}. In this case you cannot rely on system protection. Notice please that there are no apostrophes in specified condition so any escaping is useless. The only one solution here is to convert macro result to the appropriate data type, so it should look like that - DocumentID = {%ToInt(QueryString.documentid, 0)%}.

Hope it will help you.

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on June 15, 2015 17:44

By default it will automatically be checked and invalid SQL characters escaped. You can read more details in the Kentico Security Whitepaper

0 votesVote for this answer Mark as a Correct answer

Greg Woz answered on June 17, 2015 12:09

Thanks Guys! I just performed quick XSS JavaScript injection that's why I created this post. Thank you.

0 votesVote for this answer Mark as a Correct answer

Chetan Sharma answered on May 25, 2017 14:45 (last edited on May 25, 2017 14:46)

Hello Greg, The only thing extra that I would suggest is to escape query suggested by Brendon like this, which he has already mentioned in his answer. I reached out to Kentico recently for a case where value of parameter "p" could have apostrophe like "Greg's". You may get an error/incorrect results as it will get evaluated. This is primarily dropped to avoid any SQL injection attacks.

{% if(SQLEscape(QueryString.GetValue("p")) == "RB") { "PostedBy = 'Ray Block'" } |(handlesqlinjection)false @%}

Laura's Article is an excellent premier on best parctices while creating secure filters

Kentico's article on SQL Injection attack

Let us know if it helps

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.