Passing Query from BO through request parameter Issue

Tagged:
  • Ishant
        Has successfully completed the online course Basics (100)
      3 years ago #27370

      Hi,

      Due to recent update of simplifier, We cannot pass query  from the BO through the request parameter. We truly understand, it can lead to SQL Injection.  And the best way to handle this is writing query in the connector call itself.

      1.  But if we have to make our query dynamic, like suppose if we want to make filters on around 10 columns or more, we have to make combination of connector calls in order to achieve this and it can lead to multiple connector calls which I think is not a efficient solution as more calls means more latency in data. So now, how can we create dynamic Queries with efficient solution ?
      2. And the application, which are already built earlier through this approach (passing SQL Query through BO). Will those applications stop working , after the this update or any time in near future ? As there would be a lot of rework to change the whole backend functionality of all the applications.

      Simplifier is a low code platform which comes in market to ease out the things. But with this update, things are becoming more complex and repetitive. There should be some other solution for this. As from a low code platform our expectation is to ease out the things rather than making it more complex and slow.

      Hoping for a positive reply

      Thanks

      Ishant Kushwaha

       

      Armin Winkler
          Has successfully completed the online course Introduction
          Has successfully completed the online course Intermediate (200)
          Has successfully completed the online course Advanced (300)
          Has successfully completed the online course Basics (100)
        3 years ago #27412
        Up
        1
        Down
        ::

        Hi Ishant,

        first off thank you very much for your feedback concerning the SQL connector, it is much appreciated.

         

        So, to summarize the status quo and the upcoming changes regarding this topic:

         

        As you mentioned, we have to keep in mind that possible SQL injections are a critical aspect regarding the security of the SQL connector. Therefore the decision was made that the request parameter cannot be set via a server-side business object function anymore and this change was first introduced with the release of Simplifier version 6.0. After hearing feedback from some customers concerning some applications critical to their production environment which would not work anymore after updating due to these changes, we decided to patch it and revert back the changes for version 6.0 until 6.5 will be released in the beginning of September 2021. At the same time however, we implemented two new features to mitigate the issue you’re facing while still allowing some flexibility in regard to SQL statements that are passed from server-side BOs: repeatable statements and dynamic WHERE clauses. Both of them are documented in this new knowledge base article: https://community.simplifier.io/knowledge/dynamic-where-clause-and-repeatable-statements/

         

        We recommend to start refactoring your SQL connector calls and server-side BO functions as soon as possible as to make them work the way it is intended as soon as Simplifier 6.5 will be released and dynamic requests passed by the server-side BO will only work by utilizing the aforementioned two features. This is in order to safe time and pressure later on in the year when you decide to update your systems to the newest version. Please let us know if it should not be possible to adapt all your dynamic queries you have implemented using dynamic WHERE clauses and repeatable statements without losing functionality so we can look for a possible solution for your case.

         

        Regarding your second question if existing applications will stop working after an update, I want to stress out that YES, this will be the case as soon as your system is running on version 6.5 and you try to execute one of these dynamic SQL connector calls that you’ve implemented. You definitely have to rework your queries but in the long term you will benefit from higher security in your applications and less possible manipulations from the client side which is of highest importance in this case.

         

        Hope this answers your questions.

         

        Regards,

        Armin

      Viewing 2 posts - 1 through 2 (of 2 total)

      You must be logged in to reply to this topic.