About SQL injections

Owned by svitlana (Deactivated)
Last updated: Jul 22, 2018
1 min read



 

Be carefull about potential SQL injections which can be passed along the where clause. Make sure that the database user as associated to the grid has restricted rights.

 

  • there is no possibility to pass extra sql query(s) through ``issue in grid("","")`` search function (e.g. ``issue in grid("familylist","1=1; delete table familylist")`` - is not possible) \\ (thus, only the injections within the where-clause and, thus in inner select is possible)

  • neither MySQL, nor Oracle, nor HSQL, nor PostgreSQL, MSSQL syntax permits any create, update or delete statements within a select query

  • there are possibilities to pass a hang-threatening query to the server (e.g. by running some huge calculation query - where clause permits math functions use)

  • there is an ability for a hacker to learn, what version and what type (mysql, hsql, postgres or oracle) is the grid database (by running server and version-specific queries)

  • there is an ability to make dump-files on the server, thus littering the server with those

  • a tablename can be brute-forced and thus some table data can be brute-forced

Â