This thread looks to be a little on the old side and therefore may no longer be relevant. Please see if there is a newer thread on the subject and ensure you're using the most recent build of any software if your question regards a particular product.
This thread has been locked and is no longer accepting new posts, if you have a question regarding this topic please email us at support@mindscape.co.nz
|
When lightspeed inserts rows into the database, does it 'sanitize' the data (escaping quotes, etc.), so as to avoid SQL injection attacks, or is this something I need to pay attention to on my end? |
|
|
|
|
All the inserted values are sent as database command parameters rather than inlined in the SQL. (If you set LightSpeedContext.VerboseLogging = true, you can see the parameters.) You therefore do not need to worry about escaping quotes etc.: the use of parameters defeats SQL injection. Please note that in order to make the SQL understandable, the logger substitutes the values in for the parameters. So the logger may print out e.g. INSERT ... VALUES (1, 'Evil SQL injection', 234) but don't panic: what is actually sent to the database is still: INSERT ... VALUES (@p0, @p1, @p2) with @p0 = 1, @p1 = 'Evil SQL injection' and @p2 = 234. You can verify this using a database monitoring tool such as SQL Profiler. There are two exceptions to the "everything is sent as parameters" rule: 1. If you create a LiteralExpression and set its EmitInline to true, it will be inlined into the SQL string rather than being sent as a parameter. This is NEVER necessary for user input: it is provided ONLY for cases where a SQL function defines "magic literals" which must arrive inline, e.g. the SQL Server DATEPART function. 2. When using designer database sync or migrations, all SQL is inlined. This is okay because these tools are taking input from you (your model or code) rather than from your users. |
|
|
|
