My Site get reported to be vunerable to SQL injection.
I use DataQuery and basic repeater web part.
In the DataQuery webpart, I set the where condition as follow:
m.SPWDiseaseGuid = '{? guid ?}' AND l.FK_CultureID = '{% DocumentContext.CurrentDocumentCulture.ID #%}'
and the guid which is from query string is vulnerable to SQL Injection.
Is there anything I can do?
I am using Kentico 9.
In macros sql injection protection is enabled by default, this is applied to macros entered into the WhereCondition, OrderBy and Columns web part properties. You dont have to do anything. Here is the documentation
Hi Jackie,
Please read through this Kentico documentation article, it explains how to protect your parameters. In a nutshell you should be using macro like this instead of {%param%}:
{%param%}
{% SQLEscape(QueryString.GetValue("guid", ""))#%}
Just to add what was said above, check the blog posts from our security expert too!
Please, sign in to be able to submit a new answer.