[Kahn Has successfully completed the online course IntroductionHas successfully completed the online course Intermediate (200)Has successfully completed the online course Advanced (300)]

3 years ago #27644

Up

1

Down

::

Hello,

 

due to the fact that sanitation is always depending on the use-case. No sanitation is performed by the connector EXCEPT the check if one of the bad words (case-insensitive and trimmed) is provided inside the WHERE statement. Words like DROPSHIP or other that contains the words as a prefix/infix/suffix are ignored, however scenarios where the words as a whole inside single quotation marks or table names will be also detected as BAD Words albeit they are not bad words in such contexts.

 

Example:

SELECT * FROM table A WHERE status=’UPDATE’

SELECT * FROM table B WHERE update=false

 

The main security benefit lies in the fact, that this mode can only be executed inside a server-side business object and where sanitation can be applied by a use-case to use-case basis. Automatic sanitation by the connector cannot be provided (and will not be provided) as there are no generic rules that can be applied to it, as it ALWAYS depends on the use case.

 

Thus you are responsible for the sanitation in the business object.

 

I hope this helps you.

 

Best Regards