Hi
I have made a REST api in NTWS. It works magnificent.
But now I am asked if it is possible to do SQL Injection in the values that are transferred.
I guess I need some good advice here!
Any comments?
/Niels
Are you sanitizing the parameters passed to the Rest API?
If you are not, then there is definitely a risk of SQL injection
If you are using NetTalk, and by extension the File Driver (not prop:sql) to write to the file, then no theres no risk of sql injection.
The file drivers make use of parametized queries when writing to the database. This is slightly different to just writing plain SQL but one of the main benefits is that this prevents SQL injection.
One of the dangers of using prop:sql is that this protection is lost. (Which is why NetTalk doesnt use it.)
Thanks Bruce for making it clear so even I can understand it.
This could have been explained in the docs, but then who would have done a driver trace to see what is being sent to the backend?
It would be even better to document that Prop:SQL statements DO NOT enjoy the protection of parameterisation. When using PROP:SQL it is up to the developer to ensure that the command is properly sanitised, and safe to use.
For this reason, if not for any other, it is important to avoid the use of Prop:SQL wherever possible. And if you do use it then all variable values used in WHERE, ORDER BY et al clauses are passed through a sanitiser first to ensure that no malicious code is being entered.