Namespace: sql

$.util. sql

Namespace: sql

Methods

<static> isValidParam(parameter) → {Boolean}

Checks if an unquoted SQL parameter is valid.
This function checks if the parameter contains characters (for example, SQL comments) which an attacker could use to break out of the unquoted parameter.

For single quoted or double quoted parameters (for example, in WHERE statements) please replace single quotes (') with two single quotes ('') and double quotes (") with two double quotes ("").
Parameters:
Name Type Description
parameter String parameter which has to be checked
Returns:
Type
Boolean
Example
// in this example the app actually wants to deactivate a user but
// the attacker breaks out of the SQL statement with the sql comments and the
// user is never deactivated since DEACTIVATE USER NOW was commented
// to avoid this you can use $.util.isValidParam()
var maliciousParam = "testUsr99/**/PASSWORD/**/UserPassword123!--";
if ($.util.sql.isValidParam(maliciousParam)) {
  var commandDeactivate = "ALTER USER " + maliciousParam + " DEACTIVATE USER NOW";
  var conn = $.db.getConnection();
  conn.prepareStatement(commandDeactivate).execute();
} else {
  // malicious param detected
}