About SQL injections
- svitlana (Deactivated)
Â
Be carefull about potential SQL injections which can be passed along the where clause. Make sure that the database user as associated to the grid has restricted rights.
Â
there is no possibility to pass extra sql query(s) through ``issue in grid("","")`` search function (e.g. ``issue in grid("familylist","1=1; delete table familylist")`` - is not possible) \\ (thus, only the injections within the where-clause and, thus in inner select is possible)
neither MySQL, nor Oracle, nor HSQL, nor PostgreSQL, MSSQL syntax permits any create, update or delete statements within a select query
there are possibilities to pass a hang-threatening query to the server (e.g. by running some huge calculation query - where clause permits math functions use)
there is an ability for a hacker to learn, what version and what type (mysql, hsql, postgres or oracle) is the grid database (by running server and version-specific queries)
there is an ability to make dump-files on the server, thus littering the server with those
a tablename can be brute-forced and thus some table data can be brute-forced
Â