Successfully!

Error!

You are viewing 10.0 help doc. More details are displayed in the latest help doc

Anti-SQL Injection

I. Overview

1) SQL injection generally means to trigger background execution of SQL query through malicious parameter input, to obtain data or damage the database.

2) Anti-SQL Injection is aimed to prevent SQL injection by following methods:

  • Disable special keywords.

  • Escape some characters.

Note: this feature only works for the FineReport templates.

You will learn

  • User Interface

  • Special Keywords

    • Enable Special Keywords

    • Add Special Keywords

    • Preview the Effect of Disabling Special Keywords

  • Chars

    • Turn on Escape Char

    • Add Characters

  • Important Note

II. Instructions

1. User Interface

Click Manage -> Security -> Anti-SQL Injection and enter this page, as shown below:

1602494439559200.png


2. Special Keywords

1) Enable special keywords

Forbid Keywords option is enabled by default:

 1602493700818766.png

Note: an error message will be thrown into the log when a disabled character is present in SQL parameters.

2) Add special keywords

  • Click on Edit below Forbid Keywords switch to add new keywords or delete custom ones. Click on selected keywords to change it as unselected keywords, and vice versa.

1602493702310415.gif

  • Click Add Special Keywords to add custom keywords.

    Note: custom keywords can be removed.

1602493702225754.gif

  • Global search action can be conducted via the search box on the right, to display all the selected as well as unselected special keywords:

 1602493700197914.png

3) Preview the effect of disabling special keywords

Open the following template in FineReport designer: %FR_HOME%\webroot\WEB-INF\reportlets\GettingStartedEN.cpt, and preview it by Pagination Preview option.  In the browser, type "select" (which has been disabled in SQL parameters) into the textbox on the right of "Region", then click on Query and an error will be thrown into the log: "Due to the use of disabled special keywords, SQL injection attacks are suspected. Please contact the administrator for any needs.", as shown below:

1602493701803868.png


3. Chars

1) Turn on escape char

Login the Decision-making System as an administrator, go to Manage -> Security -> Anti-SQL Injection and turn on Escape Char, then all the chars in SQL parameters that can be escaped will be converted to null:

 1602493701532548.gif

2) Add characters

The steps to add characters are the same as adding special keywords. Please refer to section II.2. Add special keywords for more information.


4. Important Note

1) Problem description:

the system login page might go blank after adding escaped (), and login actions can't be performed.

2) Solution

() has special meaning in regular expressions and using () as an escape character will match all the related items, so the action of using comma (, ), period () and parenthesis (()) as escape characters are prohibited by the system. If it must be used, please use \(\) as shown below:

1602493702654581.png


Attachment List


Theme: Decision-making Platform
Already the First
Already the Last
  • Helpful
  • Not helpful
  • Only read

Doc Feedback