How to ensure query param is sanitized?

JennyHu · ‎03-20-2017

Hi there,

I have a scripted REST resource that takes a query param. I'm using GlideRecord to fetch records for reading based on the query param and would like to know how to prepare the query to prevent any possible SQL injection as the parameter value is provided externally.

If I use addEncodedQuery() for example to execute the query, would that be vulnerable to SQL injection? What's the recommended approach to ensure that the query param is sanitized?

Thanks,

Jenny

Chuck Tomasi · ‎03-20-2017

Hi Jenny,

addEncodedQuery() is going to read records only. As long as the person authenticating against the REST API has access to those records, you should be good. If they try to inject anything in the URI (and you try to use it) it will either a) add to the filtered list of records, b) cause an error. In either case, your scripted REST API will return fewer or 0 records. An addEncodedQuery() isn't going to be recognize injected DELETE commands, for example.

View solution in original post

Chuck Tomasi · ‎03-20-2017

Hi Jenny,

addEncodedQuery() is going to read records only. As long as the person authenticating against the REST API has access to those records, you should be good. If they try to inject anything in the URI (and you try to use it) it will either a) add to the filtered list of records, b) cause an error. In either case, your scripted REST API will return fewer or 0 records. An addEncodedQuery() isn't going to be recognize injected DELETE commands, for example.

JennyHu · ‎03-20-2017

That's good to know. Thanks Chuck!

Chuck Tomasi · ‎03-20-2017

You are welcome.

If I have answered your question, please mark my response as correct so that others with the same question in the future can find it quickly and that it gets removed from the Unanswered list.

If you are viewing this from the community inbox you will not see the correct answer button. If so, please review How to Mark Answers Correct From Inbox View.

Thank you