Namespace: sql
Methods
-
<static> isValidParam(parameter) → {Boolean}
-
Checks if an unquoted SQL parameter is valid.
This function checks if the parameter contains characters (for example, SQL comments) which an attacker could use to break out of the unquoted parameter.
For single quoted or double quoted parameters (for example, in WHERE statements) please replace single quotes (') with two single quotes ('') and double quotes (") with two double quotes ("").Parameters:
Name Type Description parameter
String parameter which has to be checked Returns:
- Type
- Boolean
Example
// in this example the app actually wants to deactivate a user but // the attacker breaks out of the SQL statement with the sql comments and the // user is never deactivated since DEACTIVATE USER NOW was commented // to avoid this you can use $.util.isValidParam() var maliciousParam = "testUsr99/**/PASSWORD/**/UserPassword123!--"; if ($.util.sql.isValidParam(maliciousParam)) { var commandDeactivate = "ALTER USER " + maliciousParam + " DEACTIVATE USER NOW"; var conn = $.db.getConnection(); conn.prepareStatement(commandDeactivate).execute(); } else { // malicious param detected }