SQL Injection Prevention

Version

Application Scenario

SQL injection is one of the common network attack methods. It targets the negligence of programmers in programming and forces the backend to execute the SQL statement through malicious parameter input, obtaining data or damaging the database.

Preventing SQL injection is of utmost importance in system security protection.

Function Description

The SQL injection prevention function intercepts parameter requests made by the template. It can achieve two effects:

Prevent SQL injection by disabling special keywords.

Prevent SQL injection through character escaping.

Note:

The SQL injection prevention function only intercepts parameter requests sent by the template, it does not filter and intercept the entire SQL statement, nor does it filter and intercept global requests.

Enabling Special Keyword

Log in to the decision-making platform as the admin and choose System Management > Security Management > SQL Injection Prevention, as shown in the following figure.

Note:

If there are disabled characters in the SQL parameters, the log will display an error message.

Adding Special Keyword

1. Click the Edit button right to the Disable Special Keyword button to add or delete custom special keywords.

2. Click the Add Special Keyword button to customize keywords and add them, as shown in the following figure.

Note:

You can delete the customized special keywords.

The explanation of the regular expression (?i)select: (?i) means case-insensitive for select and  represents the boundary.

3. You can perform a global search in the search box on the right side, which can search for both selected and unselected special keywords, as shown in the following figure.

Special Keyword Disable Effect Display

Open the built-in report in the path %FR_HOME%\webroot\WEB-INF\reportlets\GettingStartedEN.cpt.

Enter "select" in the text box on the right side of Region and click Query. (There has been the disabled character "select" in the SQL parameters.)

An error message "Due to the use of disabled special keywords, the system is suspected of being attacked through SQL injection. Contact the administrator for special needs." is displayed in the log.

Enabling Escape Character

Log in to the decision-making platform as the admin, choose System Management > Security Management > SQL Injection Prevention, and enable the Escape Character button.

When there are characters in the SQL parameters that need to be escaped, these characters will be escaped to empty, as shown in the following figure.

Adding the Character

The steps for the character-adding setting and the special keyword-adding setting are the same. For details, see section "Adding Special Keyword" in this document.

Problem:

After you add the escape character parentheses (()), the decision-making platform login page is blank and cannot support the login operation.

Solution:

Parentheses (()) have special meanings in regular expressions. Parentheses (()) as escape characters match all related items. Therefore, you cannot use commas (,), periods (.), and parentheses (()) as escape characters.

If you have to use parentheses (()) as escape characters, modify () to \(\) as the writing style, as shown in the following figure.