Namespace: sql

Methods

<static> isValidParam(parameter) → {Boolean}

Checks if an unquoted SQL parameter is valid.
This function checks if the parameter contains characters (for example, SQL comments) which an attacker could use to break out of the unquoted parameter.

For single quoted or double quoted parameters (for example, in WHERE statements) please replace single quotes (') with two single quotes ('') and double quotes (") with two double quotes ("").

Parameters:

Name	Type	Description
`parameter`	String	parameter which has to be checked

Returns:

Type: Boolean

Example

// in this example the app actually wants to deactivate a user but
// the attacker breaks out of the SQL statement with the sql comments and the
// user is never deactivated since DEACTIVATE USER NOW was commented
// to avoid this you can use $.util.isValidParam()
var maliciousParam = "testUsr99/**/PASSWORD/**/UserPassword123!--";
if ($.util.sql.isValidParam(maliciousParam)) {
  var commandDeactivate = "ALTER USER " + maliciousParam + " DEACTIVATE USER NOW";
  var conn = $.db.getConnection();
  conn.prepareStatement(commandDeactivate).execute();
} else {
  // malicious param detected
}

AntiVirus	$.security
Application	$
Body	$.web
CallableStatement	$.db
Client	$.net.http
ColumnMetadata	$.hdb
Connection	$.db
Connection	$.hdb
Destination	$.net
Destination	$.net.http
EntityList	$.web
Job	$.jobs
JobLog	$.jobs
JobSchedules	$.jobs
Mail	$.net
ParameterMetaData	$.db
Part	$.net.Mail
PreparedStatement	$.db
ProcedureResult	$.hdb
Request	$.net.http
ResultSet	$.db
ResultSet	$.hdb
ResultSetIterator	$.hdb
ResultSetMetaData	$.db
ResultSetMetaData	$.hdb
SAXParser	$.util
Session	$
Session	$.text.analysis
Session	$.text.mining
SMTPConnection	$.net
SQLException	$.db
SQLException	$.hdb
Store	$.security
TupelList	$.web
WebEntityRequest	$.web
WebEntityResponse	$.web
WebRequest	$.web
WebResponse	$.web
Zip	$.util