SQL Injection Prevention

  • Last update: October 29, 2025

    • Overview

    Version

    FineDataLink Version
    4.0.28

    Application Scenario

    SQL injection is one of the common network attack methods. It targets the negligence of programmers in programming and forces the backend to execute the SQL statement through malicious parameter input, obtaining data, or damaging the database.

    Preventing SQL injection is of utmost importance in protecting system security.

    Function Description

    The SQL Injection Prevention function can intercept specific request parameters in SQL queries in the Data Service to block attack attempts. Key capabilities include:

    • Prevent SQL injection by disabling special keywords.

    • Prevent SQL injection through character escaping.

    Special Keyword

    Enabling Special Keyword

    Log in to FineDataLink as the admin, choose System Management > Security Management > SQL Injection Prevention, as shown in the following figure.

    iconNote:
    If a parameter in an SQL query contains disabled characters, the system will throw an error and log the corresponding error message.

    Adding the Special Keyword

    1. Click the Edit button below Disable Special Keyword. You can add or delete custom special keywords, as shown in the following figure.

    2. Click the Add Special Keyword button and add a custom keyword, as shown in the following figure.

    iconNote:
    You can delete the custom special keywords.

    Here is an explanation of the example regular expression \b(?i)select\b: (?i) means case-insensitive for select, and \b denotes a word boundary.

    3. The search box on the right supports global search, allowing you to find both selected and unselected special keywords, as shown in the following figure.

    Effect of Special Keyword Disabling

    Set a parameter in Data Service, input the parameter value select, which is a disabled character, and click OK.

    An error message will be displayed, as shown in the following figure: "Invalid Request parameter value error-Invalid parameters."

    Character

    Enabling Escape Character

    Log in to FineDataLink as the admin, choose System Management > Security Management > SQL Injection Prevention, and enable Escape Character.

    If parameter values in the SQL queries contain characters requiring escaping, these characters will be converted to empty strings, as shown in the following figure.

    Adding the Character

    The procedure for adding characters and adding special keywords is identical. For details, see the "Adding the Special Keyword" section of this document.

     

     


    附件列表


    主题: System Management
    Previous:Security
    Next:User Input Verification
    • Helpful
    • Not helpful
    • Only read
    中文(简体)
    English

    滑鼠選中內容,快速回饋問題

    滑鼠選中存在疑惑的內容,即可快速回饋問題,我們將會跟進處理。

    不再提示

    10s後關閉

    Get
    Help
    Online Support
    Professional technical support is provided to quickly help you solve problems.
    Online support is available from 9:00-12:00 and 13:30-17:30 on weekdays.
    Page Feedback
    You can provide suggestions and feedback for the current web page.
    Pre-Sales Consultation
    How to Get Quotes:
    FineReport FineBI
    Demonstration Booking:
    FineReport FineBI
    Business Consultation
    Business: international@fanruan.com
    Support: support@fanruan.com
    Page Feedback
    *Problem Type
    Cannot be empty
    Problem Description
    0/1000
    Cannot be empty

    Submitted successfully

    Network busy