hi there!
Recently we migrated from v8.0.2 to 8.1.4 and we started to see issues in WebPortal related to SQL Injection.
The component in which we have the SQL injection issue, have a filter to load Departments entries that belong to a specific "branch". For example:
- Department1
--- Departmet1.1
--- Department1.2
- Department2
--- Department2.1
--- Department2.2
Based on a previously selected Location, the form will show either Department1 branch or Department2 branch.
The object is a Person entry and we are using Vi_Edit_FK component to show the Department hierarchy and the function AdditionalWhereClause() to set the filter.
- The filter is this:
- Fullpath like " {0}\%"
- and {0} will be the previously selected location
Obviously, that statement will set a penalty for SQL injection algorithm
Then, I changed to:
- format("SUBSTRING(fullpath,0,CHARINDEX('\',fullpath,0)) = '{0}'", select CompanyName from Edittable)
But still that whereClause is being penalized.
What other option do we have?
- Load all Departments entries into a collection and then set the filter in the collection itself?
Doing the filter on SQL it was a straight forward solution but after I tried several things I don't see how that could be possible.
any ideas?
Thanks in advanced.